Trying to get LAN access, can only ping myself
-
ace where is your route table - this shows that addition failed
Wed Oct 03 12:32:02 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists. [status=5010 if_index=19]
edit: ok you posted it before, notice there is no route to your 10.0.0.0/24 on there - see mine.
My pfsense lan is 192.168.1.0/24 and in my route table and my connection info
Wed Oct 03 12:26:23 2012 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.0.200.5 Wed Oct 03 12:26:23 2012 Route addition via IPAPI succeeded [adaptive]=========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.56.41.1 10.56.41.136 10 10.0.200.1 255.255.255.255 10.0.200.5 10.0.200.6 1 10.0.200.4 255.255.255.252 10.0.200.6 10.0.200.6 30 10.0.200.6 255.255.255.255 127.0.0.1 127.0.0.1 30 10.56.41.0 255.255.255.0 10.56.41.136 10.56.41.136 10 10.56.41.136 255.255.255.255 127.0.0.1 127.0.0.1 10 10.255.255.255 255.255.255.255 10.0.200.6 10.0.200.6 30 10.255.255.255 255.255.255.255 10.56.41.136 10.56.41.136 10 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 10.0.200.5 10.0.200.6 1 224.0.0.0 240.0.0.0 10.0.200.6 10.0.200.6 30 224.0.0.0 240.0.0.0 10.56.41.136 10.56.41.136 10 255.255.255.255 255.255.255.255 10.0.200.6 3 1 255.255.255.255 255.255.255.255 10.0.200.6 9 1 255.255.255.255 255.255.255.255 10.0.200.6 6 1 255.255.255.255 255.255.255.255 10.0.200.6 7 1 255.255.255.255 255.255.255.255 10.0.200.6 5 1 255.255.255.255 255.255.255.255 10.0.200.6 10.0.200.6 1 255.255.255.255 255.255.255.255 10.0.200.6 2 1 255.255.255.255 255.255.255.255 10.56.41.136 10.56.41.136 1 Default Gateway: 10.56.41.1 ===========================================================================192.168.1.0 255.255.255.0 10.0.200.5 10.0.200.6 1
-
Is that not the output of "route print" that i pasted above?
I will paste again in case its different this time.
===========================================================================
Interface List
19…00 ff d4 bb e6 c8 ......TAP-Win32 Adapter V9
12...00 0c 29 37 bc ee ......Intel(R) 82574L Gigabit Network Connection
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.186.2 192.168.186.129 10
10.0.0.0 255.255.255.0 192.168.2.5 192.168.2.6 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.1 255.255.255.255 192.168.2.5 192.168.2.6 30
192.168.2.4 255.255.255.252 On-link 192.168.2.6 286
192.168.2.6 255.255.255.255 On-link 192.168.2.6 286
192.168.2.7 255.255.255.255 On-link 192.168.2.6 286
192.168.186.0 255.255.255.0 On-link 192.168.186.129 266
192.168.186.129 255.255.255.255 On-link 192.168.186.129 266
192.168.186.255 255.255.255.255 On-link 192.168.186.129 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.6 286
224.0.0.0 240.0.0.0 On-link 192.168.186.129 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.6 286
255.255.255.255 255.255.255.255 On-link 192.168.186.129 266Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
19 286 fe80::/64 On-link
12 266 fe80::/64 On-link
12 266 fe80::81b1:8393:5628:5a3c/128
On-link
19 286 fe80::a472:6f0a:696a:46ff/128
On-link
1 306 ff00::/8 On-link
19 286 ff00::/8 On-link
12 266 ff00::/8 On-linkPersistent Routes:
None -
now it shows
10.0.0.0 255.255.255.0 192.168.2.5 192.168.2.6 30
so should be working - you sure your host is just not answering? Do a traceroute
D:>tracert -d 192.168.1.100
Tracing route to 192.168.1.100 over a maximum of 30 hops
1 189 ms 218 ms 249 ms 10.0.200.1
2 168 ms 130 ms 266 ms 192.168.1.100 -
seems to be working now, i'm not sure what changed. before I couldn't ping anything.
C:\Users\Mitch>tracert -d 192.168.1.100
Tracing route to 192.168.1.100 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.186.2
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 -
well in your first post you had no route - so no your not going to be able to get to anything on the other side of the tunnel.
In your second post you did, so that makes sense why its working now, and was not before.
Why would you trace to my 192.168.1.100 address??? Did I really have to spell out to use an IP on your pfsense lan vs my example ;)
-
haha because i was on call at the time and not really paying attention to what i was doing, lol i'm sorry I feel like an idiot.
I'm guessing its because the client wasn't run as administrator, which is odd since I explicitly told it to the first time.
just for giggles ill prove myself now LOL
C:\Users\Mitch>tracert -d 10.0.0.11
Tracing route to 10.0.0.11 over a maximum of 30 hops
1 14 ms 10 ms 10 ms 192.168.2.1
2 11 ms 10 ms 10 ms 10.0.0.11Trace complete.
-
Thanks for your help though, much appreciated.
-
yeah windows 7 needs to run as admin to add the route, but it seems the new beta version of openvpn client has gotten around that? You could try the new beta 2.3_beta1
-
Hi,
Here my conf :Client Config
dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 109.6.229.83 1194
tls-remote Proxiel Server Cert
auth-user-pass
pkcs12 doberman-udp-1194.p12
tls-auth doberman-udp-1194-tls.key 1
comp-lzoServer Settings :
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.1
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 172.16.0.0 255.255.248.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
route 172.16.0.0 255.255.248.0firewall rules openvpn tab:
Proto:* Source:* Port:* Destination:* Port:* GW:* Queue: none
action:pass
interface: openvpnIPv4 Table de routage
Itinéraires actifs :
Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.75 20
0.0.0.0 128.0.0.0 10.0.8.1 10.0.8.2 30
10.0.8.0 255.255.255.252 On-link 10.0.8.2 286
10.0.8.2 255.255.255.255 On-link 10.0.8.2 286
10.0.8.3 255.255.255.255 On-link 10.0.8.2 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.0.8.1 10.0.8.2 30
172.16.0.0 255.255.248.0 10.0.8.1 10.0.8.2 30
192.168.0.0 255.255.255.0 On-link 192.168.0.75 276
192.168.0.75 255.255.255.255 On-link 192.168.0.75 276
192.168.0.255 255.255.255.255 On-link 192.168.0.75 276
192.168.56.0 255.255.255.0 On-link 192.168.56.1 276
192.168.56.1 255.255.255.255 On-link 192.168.56.1 276
192.168.56.255 255.255.255.255 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 10.0.8.2 286
224.0.0.0 240.0.0.0 On-link 192.168.0.75 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.56.1 276
255.255.255.255 255.255.255.255 On-link 10.0.8.2 286
255.255.255.255 255.255.255.255 On-link 192.168.0.75 276My Lan Office network is 192.168.0.0 , My pfsense Lan is 172.16.0.0/21 and The tunnel network 10.0.8.0/24
So what can i do now ?
Thanks. -
push "route 172.16.0.0 255.255.248.0"
route 172.16.0.0 255.255.248.0Your server config has both route and push route with the same address. As I understand it, the server is on the pfSense that has LAN 172.16.0.0/21 - so the server should have only:
push "route 172.16.0.0 255.255.248.0"
Then it will tell ("push a route to") clients that connect saying that it is the way to reach 172.16.0.0/21
The extra:
route 172.16.0.0 255.255.248.0
will confuse the routing - this tells pfSense that 172.16.0.0/21 can be reached by sending packets out this OpenVPN server - which is not correct.
-
I remove the extra route and i'm still serching my issue.
-
hello,
i try with server mode Peer to Peer in a other pfsense box.With the same parameter i have internet but i can't ping the computer and AP on the Lan pfsense.
there's a problem when we use OpenVpn with multi wan,failover , and Captive Portal ?
i don't know where is blocking cause no rules blocked the traffic….
-
I'm back.
I try with Ipsec but i've got the same issue… :'( -
local 192.168.1.1This looks wrong in your server config. It should be the WAN IP that the server is on. I am guessing that the server is not on a private address like 192.168.1.1
I just noticed this issue on Redmine http://redmine.pfsense.org/issues/2582 and confirmed the problem. If you change your static IP on WAN, then pfSense does not update the OpenVPN conf files. If you go to each OpenVPN server and client and edit+save again, the conf files are generated again and have the new WAN IP in the "local n.n.n.n" line. -
Hi,
Thanks Davis but i have the same result, i can reach my pfsense Lan.
I try with an SDSL router with the Wan IP but exactly the same issues…..
Here my server1.conf :
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 81.252.136.49
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 8
push "route 172.16.0.0 255.255.248.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify
comp-lzoThanks Phil Davis but
-
Hi,
I just reboot my pfsense and my VPN works now….Thanks for the help.
