Trying to get LAN access, can only ping myself

gderf

Obfuscating private IP addressees and particularly netmasks is pointless and makes helping difficult.

ace_ventura

Sorry, fixed.

johnpoz

So your using 192.168.2.0/24 as your tunnel network?  Thats prob not very good idea since thats a very common network.  What if your remove is on a 192.168.2.0/24 ?

what boxes would you ping pinging at 192.168.2.5? or 2.1?

So 10.0.0.0/24 is your pfsense lan network?  What OS are you running the client on?  If windows 7 for example you need to run the client as admin to get the pushed route.

ace_ventura

Yes I am using 192.168.2.0/24 as my tunnel network, we use the 172 network here at work and I use the 10 network at home.  Should I change my tunnel network to 10.0.1.0/24?

I thought I would try to ping 192.168.2.5 or 2.1 as a DGW since I received an IP of 192.168.2.6 but I knew it probably wouldn't work, just thought I would put that information out as well even if I didn't need to, more a quick here lets try this thought that went through my head.

Yes I use 10.0.0.0/24 as my pfsense lan network.

Client OS is Windows 8, Yes I have run the client as admin.

ace_ventura

anyone?

marvosa

Post client config, server settings, firewall rules from openvpn tab, routing table from PFsense and routing table from client when connected.

myke

Hi,
I've got the same issue , i just can ping my pfsense box but i cannot ping my Wifi Box.

I use remote access 1.0.3 SSL/TLS + User Auth

in my firewall's rules nothing is blocked.

my config is :
dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote myipaddress 1194
tls-remote Proxiel Server Cert
auth-user-pass
pkcs12 doberman-udp-1194.p12
tls-auth doberman-udp-1194-tls.key 1
comp-lzo

My lan on my pfsense box is 172.16 and openvpn give me 10.0.8.0

to the openvpn server i route the network 172.16.0.0

so i don't know where do i search…..

if you have any idea  ;)

Thanks.
Myke.

ace_ventura

@marvosa:

Post client config, server settings, firewall rules from openvpn tab, routing table from PFsense and routing table from client when connected.

Client Config:
dev tun
persist-tun
persist-key
proto udp
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote 173.16.39.88 1194
tls-remote vpnuser
auth-user-pass
pkcs12 pfsense-udp-1194.p12
tls-auth pfsense-udp-1194-tls.key 1
comp-lzo

Server Settings:
servermode: remote access (ssl/tls + user auth)
proto: udp
device mode: tun
interface: wan
localport: 1194

Peer CA: VPN Server CA
Peer Cert Rev: None Created
Server Cert: my user cert (CA:VPN Server CA) * In Use
DH Parameters Length 2048
Shared: Auto generate
Encryption Alg: AES-256-CBC
No hardware crypto
cert depth: one (client+server)

tunnel network: 192.168.2.0/24
bridge dhcp: checked
bridge interface: lan

local network: 10.0.0.0/24

conncurrent connections: 10
compression: checked

dynamic ip: checked
address pool: checked

advanced config:
push "route 10.0.0.0 255.255.255.0";

firewall rules openvpn tab:
Proto:* Source:* Port:* Destination:* Port:* GW:* Queue: none
action:pass
interface: openvpn

See attached for routing table from pfsense

Local Client Routes:

Interface List
19…00 ff d4 bb e6 c8 ......TAP-Win32 Adapter V9
12...00 0c 29 37 bc ee ......Intel(R) 82574L Gigabit Network Connection
  1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4

IPv4 Route Table

Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0    192.168.186.2  192.168.186.129    10
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      192.168.2.4  255.255.255.252        On-link      192.168.2.6    286
      192.168.2.6  255.255.255.255        On-link      192.168.2.6    286
      192.168.2.7  255.255.255.255        On-link      192.168.2.6    286
    192.168.186.0    255.255.255.0        On-link  192.168.186.129    266
  192.168.186.129  255.255.255.255        On-link  192.168.186.129    266
  192.168.186.255  255.255.255.255        On-link  192.168.186.129    266
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link      192.168.2.6    286
        224.0.0.0        240.0.0.0        On-link  192.168.186.129    266
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link      192.168.2.6    286
  255.255.255.255  255.255.255.255        On-link  192.168.186.129    266

Persistent Routes:
  None

IPv6 Route Table

Active Routes:
If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
19    286 fe80::/64                On-link
12    266 fe80::/64                On-link
12    266 fe80::81b1:8393:5628:5a3c/128
                                    On-link
19    286 fe80::a472:6f0a:696a:46ff/128
                                    On-link
  1    306 ff00::/8                On-link
19    286 ff00::/8                On-link
12    266 ff00::/8                On-link

Persistent Routes:
  None

Hope this helps, let me know if I forgot something or if you need anything else.

Thanks!


johnpoz

Your running version 1.03 of pfsense? Or is that the version of the openvpn gui your running?

What client are you on?  Windows 7 unless you run openvpn as admin it won't create the route.

So I have been running pfsense since the 1.x version and development snapshots on 2 and 2.1 and have never had any issues with openvpn.

What remote network are you on?  So you run 172.16 /??  /16?? on your pfsense lan?  That could easy be in conflict with what your remote network is.

Please post your full server config, can be found in /var/etc/openvpn server.conf – there should be a .conf file there for your server settings.

Also post your route table from your client once you connect and what if any firewall rules do you have in place on pfsense?  What is in your openvpn tab?  Where does your wifi box sit? how is it connected to pfsense - you sure your ping is just blocked on host firewall your trying to ping?

ace_ventura

pfsense 2.0.1-release
client is windows 8 VM  I have run it as admin.  Here is its connection log:

I just realized you were replying to the other guy.

Wed Oct 03 12:31:46 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Wed Oct 03 12:31:52 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Oct 03 12:31:52 2012 WARNING: Make sure you understand the semantics of –tls-remote before using it (see the man page).
Wed Oct 03 12:31:52 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Oct 03 12:31:52 2012 Control Channel Authentication: using 'pfsense-udp-1194-tls.key' as a OpenVPN static key file
Wed Oct 03 12:31:52 2012 LZO compression initialized
Wed Oct 03 12:31:52 2012 UDPv4 link local (bound): [undef]:1194
Wed Oct 03 12:31:52 2012 UDPv4 link remote: 173.16.39.88:1194
Wed Oct 03 12:31:52 2012 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Wed Oct 03 12:31:54 2012 [userid] Peer Connection Initiated with 173.16.39.88:1194
Wed Oct 03 12:31:56 2012 TAP-WIN32 device [Local Area Connection] opened: \.\Global{D4BBE6C8-8A49-435E-8EE8-75C7E2F4618D}.tap
Wed Oct 03 12:31:56 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {D4BBE6C8-8A49-435E-8EE8-75C7E2F4618D} [DHCP-serv: 192.168.2.5, lease-time: 31536000]
Wed Oct 03 12:31:56 2012 Successful ARP Flush on interface [19] {D4BBE6C8-8A49-435E-8EE8-75C7E2F4618D}
Wed Oct 03 12:32:02 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.  [status=5010 if_index=19]
The route addition failed: The object already exists.
Wed Oct 03 12:32:02 2012 Initialization Sequence Completed

myke

@johnpoz:

Your running version 1.03 of pfsense? Or is that the version of the openvpn gui your running?

What client are you on?  Windows 7 unless you run openvpn as admin it won't create the route.

So I have been running pfsense since the 1.x version and development snapshots on 2 and 2.1 and have never had any issues with openvpn.

What remote network are you on?  So you run 172.16 /??  /16?? on your pfsense lan?  That could easy be in conflict with what your remote network is.

Please post your full server config, can be found in /var/etc/openvpn server.conf – there should be a .conf file there for your server settings.

Also post your route table from your client once you connect and what if any firewall rules do you have in place on pfsense?  What is in your openvpn tab?  Where does your wifi box sit? how is it connected to pfsense - you sure your ping is just blocked on host firewall your trying to ping?

Thanks Johnpoz for your answer.

My version of pfsense is 2.0.1 and my remote network openvpn is 2.2.2. i'am administrator of my computer ( window 7 ).

My pfsense lan is 172.16.0.0/21 and my network in the office is 192.168.0.0/24.

In my firewalls logs i see my ping is ok but no responding.

I can just access to my pfsense and i don't have internet.

I will post full server config tomorow.

Thanks for the help  :)

johnpoz

ace where is your route table - this shows that addition failed

Wed Oct 03 12:32:02 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=19]

edit:  ok you posted it before, notice there is no route to your 10.0.0.0/24 on there - see mine.

My pfsense lan is 192.168.1.0/24 and in my route table and my connection info

Wed Oct 03 12:26:23 2012 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.0.200.5
Wed Oct 03 12:26:23 2012 Route addition via IPAPI succeeded [adaptive]

===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.56.41.1    10.56.41.136       10
       10.0.200.1  255.255.255.255       10.0.200.5      10.0.200.6       1
       10.0.200.4  255.255.255.252       10.0.200.6      10.0.200.6       30
       10.0.200.6  255.255.255.255        127.0.0.1       127.0.0.1       30
       10.56.41.0    255.255.255.0     10.56.41.136    10.56.41.136       10
     10.56.41.136  255.255.255.255        127.0.0.1       127.0.0.1       10
   10.255.255.255  255.255.255.255       10.0.200.6      10.0.200.6       30
   10.255.255.255  255.255.255.255     10.56.41.136    10.56.41.136       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0       10.0.200.5      10.0.200.6       1
        224.0.0.0        240.0.0.0       10.0.200.6      10.0.200.6       30
        224.0.0.0        240.0.0.0     10.56.41.136    10.56.41.136       10
  255.255.255.255  255.255.255.255       10.0.200.6               3       1
  255.255.255.255  255.255.255.255       10.0.200.6               9       1
  255.255.255.255  255.255.255.255       10.0.200.6               6       1
  255.255.255.255  255.255.255.255       10.0.200.6               7       1
  255.255.255.255  255.255.255.255       10.0.200.6               5       1
  255.255.255.255  255.255.255.255       10.0.200.6      10.0.200.6       1
  255.255.255.255  255.255.255.255       10.0.200.6               2       1
  255.255.255.255  255.255.255.255     10.56.41.136    10.56.41.136       1
Default Gateway:        10.56.41.1
===========================================================================

192.168.1.0    255.255.255.0      10.0.200.5      10.0.200.6      1

ace_ventura

Is that not the output of "route print" that i pasted above?

I will paste again in case its different this time.

===========================================================================
Interface List
19…00 ff d4 bb e6 c8 ......TAP-Win32 Adapter V9
12...00 0c 29 37 bc ee ......Intel(R) 82574L Gigabit Network Connection
  1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4

IPv4 Route Table

Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0    192.168.186.2  192.168.186.129    10
        10.0.0.0    255.255.255.0      192.168.2.5      192.168.2.6    30
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      192.168.2.1  255.255.255.255      192.168.2.5      192.168.2.6    30
      192.168.2.4  255.255.255.252        On-link      192.168.2.6    286
      192.168.2.6  255.255.255.255        On-link      192.168.2.6    286
      192.168.2.7  255.255.255.255        On-link      192.168.2.6    286
    192.168.186.0    255.255.255.0        On-link  192.168.186.129    266
  192.168.186.129  255.255.255.255        On-link  192.168.186.129    266
  192.168.186.255  255.255.255.255        On-link  192.168.186.129    266
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link      192.168.2.6    286
        224.0.0.0        240.0.0.0        On-link  192.168.186.129    266
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link      192.168.2.6    286
  255.255.255.255  255.255.255.255        On-link  192.168.186.129    266

Persistent Routes:
  None

IPv6 Route Table

Active Routes:
If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
19    286 fe80::/64                On-link
12    266 fe80::/64                On-link
12    266 fe80::81b1:8393:5628:5a3c/128
                                    On-link
19    286 fe80::a472:6f0a:696a:46ff/128
                                    On-link
  1    306 ff00::/8                On-link
19    286 ff00::/8                On-link
12    266 ff00::/8                On-link

Persistent Routes:
  None

johnpoz

now it shows

10.0.0.0    255.255.255.0      192.168.2.5      192.168.2.6    30

so should be working - you sure your host is just not answering?  Do a traceroute

D:>tracert -d 192.168.1.100

Tracing route to 192.168.1.100 over a maximum of 30 hops

1  189 ms  218 ms  249 ms  10.0.200.1
  2  168 ms  130 ms  266 ms  192.168.1.100

ace_ventura

seems to be working now, i'm not sure what changed. before I couldn't ping anything.

C:\Users\Mitch>tracert -d 192.168.1.100

Tracing route to 192.168.1.100 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  192.168.186.2
  2    *        *        *    Request timed out.
  3    *        *        *    Request timed out.
  4    *        *        *    Request timed out.
  5    *        *        *    Request timed out.
  6    *        *        *    Request timed out.
  7    *        *        *    Request timed out.
  8    *        *        *    Request timed out.
  9    *        *        *    Request timed out.
10    *        *        *    Request timed out.
11    *        *        *    Request timed out.
12    *        *        *    Request timed out.
13    *        *        *    Request timed out.
14    *        *        *    Request timed out.
15    *        *        *    Request timed out.
16

johnpoz

well in your first post you had no route - so no your not going to be able to get to anything on the other side of the tunnel.

In your second post you did, so that makes sense why its working now, and was not before.

Why would you trace to my 192.168.1.100 address??? Did I really have to spell out to use an IP on your pfsense lan vs my example ;)

ace_ventura

haha because i was on call at the time and not really paying attention to what i was doing, lol i'm sorry I feel like an idiot.

I'm guessing its because the client wasn't run as administrator, which is odd since I explicitly told it to the first time.

just for giggles ill prove myself now LOL

C:\Users\Mitch>tracert -d 10.0.0.11

Tracing route to 10.0.0.11 over a maximum of 30 hops

1    14 ms    10 ms    10 ms  192.168.2.1
  2    11 ms    10 ms    10 ms  10.0.0.11

Trace complete.

ace_ventura

Thanks for your help though, much appreciated.

johnpoz

yeah windows 7 needs to run as admin to add the route, but it seems the new beta version of openvpn client has gotten around that?  You could try the new beta 2.3_beta1

myke

Hi,
Here my conf :

Client Config

dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 109.6.229.83 1194
tls-remote Proxiel Server Cert
auth-user-pass
pkcs12 doberman-udp-1194.p12
tls-auth doberman-udp-1194-tls.key 1
comp-lzo

Server Settings :
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.1
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 172.16.0.0 255.255.248.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
route 172.16.0.0 255.255.248.0

firewall rules openvpn tab:
Proto:* Source:* Port:* Destination:* Port:* GW:* Queue: none
action:pass
interface: openvpn

IPv4 Table de routage

Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle  Adr. interface Métrique
          0.0.0.0          0.0.0.0    192.168.0.254    192.168.0.75    20
          0.0.0.0        128.0.0.0        10.0.8.1        10.0.8.2    30
        10.0.8.0  255.255.255.252        On-link          10.0.8.2    286
        10.0.8.2  255.255.255.255        On-link          10.0.8.2    286
        10.0.8.3  255.255.255.255        On-link          10.0.8.2    286
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        128.0.0.0        128.0.0.0        10.0.8.1        10.0.8.2    30
      172.16.0.0    255.255.248.0        10.0.8.1        10.0.8.2    30
      192.168.0.0    255.255.255.0        On-link      192.168.0.75    276
    192.168.0.75  255.255.255.255        On-link      192.168.0.75    276
    192.168.0.255  255.255.255.255        On-link      192.168.0.75    276
    192.168.56.0    255.255.255.0        On-link      192.168.56.1    276
    192.168.56.1  255.255.255.255        On-link      192.168.56.1    276
  192.168.56.255  255.255.255.255        On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0        On-link          10.0.8.2    286
        224.0.0.0        240.0.0.0        On-link      192.168.0.75    276
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link      192.168.56.1    276
  255.255.255.255  255.255.255.255        On-link          10.0.8.2    286
  255.255.255.255  255.255.255.255        On-link      192.168.0.75    276

My Lan Office network is 192.168.0.0 , My pfsense Lan is 172.16.0.0/21 and The tunnel network 10.0.8.0/24

So what can i do now ?
Thanks.