Openvpn cannot access to lan
-
hello everyone.
i have pfsense working properly
i want to connect remote pc to my lan
pfsense lan ip is 192.168.5.2 (modem ip 192.168.5.1)
configured openvpn and client connecting to vpnserver (green icon) and get ip 10.0.1.6
client ping 192.168.5.2 is OK and can login web access to pfsense
but client can't ping or connect 192.168.5.3 or 5.4 …. other pc's etc.
what i must do ?
thanks -
is you WAN subnet the same as you LAN subnet ? or is pfsense just another client behind your modem, and is your modem in fact your router?
-
Hi,
Firstly, can you explain your modem configuration? As above your network subnet values might be same subnet. Other way did you added a rule (firewall>rules>openvpn) access to local network.Regards,
SGTR -
Hi,
I just opened the same question (cannot access LAN) so I cannot provide the answer to this question…
But: the firewall rule for OpenVPN is created automatically when configuring OpenVPN (with description OpenVPN wizard). -
my modem ip 192.168.5.1 subnet is 255.255.255.0
pfsense ip 192.168.5.2 subnet is 255.255.255.0all pcs connecting to internet without problem.
remote pc is connecting to pfsense with openvpn client and connection is OK taken ip 10.0.1.6
firewall rules automaticly created . also i checked its available
but can't connect to lolac pcs. -
please draw a map for us to understand your network topology. your pfsense only has 1 interface - a LAN interface ?
-
pfsense
lan 192.168.5.2 subnet 255.255.255.0
wan 192.168.5.1 subnet 255.255.255.0ovpn tunnel setting 10.0.1.0/24
local network setting 192.168.5.0/24client connecting to pfsense server and access internet OK. web config pfsense is OK. pinging 192.168.5.2 OK
but no ping or other access to 5.2 5.3 5.4 etc..
-
pfsense
lan 192.168.5.2 subnet 255.255.255.0
wan 192.168.5.1 subnet 255.255.255.0The way you have written this, it just won't work. It is not possible to have the same subnet on LAN and WAN. So there is some problem with us being able to understand what you mean.
What is connected to the WAN NIC of pfSense?
What is connected to the LAN NIC of pfSense?
Please try and draw a network diagram of what hardware is connected where. -
thanks for helping
adsl_router(192.168.5.1-255.255.255.0) –------- pfsense (192.168.5.2-255.255.255.0) <<< 15 LAN PC (192.168.5.XX 255.255.255.0)
|
|
remote pc 10.0.6.6this is what i want.
that 15 pc and pfsense working properly no any problem.
i want to remote pc add to that lan
installed openvpn client to win7 pc. and connected to pfsense. pinging 192.168.5.2 is OK. web access and internet ok too.
only problem is i can't ping or any access to that 15 pc
firewall rules automaticly created. and i tried to push route 10.0.1.0 255.255.255.0 too
but no success -
If you want to solve this problem. Firstly you must change modem network subnet. Because your modem and pfSense box are same network. Modem and local network shouldn't be same subnet. They must be different subnet. That's not pfSense problem. It is routing protocol rules. And go to modem gui change modem ip address and pfSense Wan ip address and wan gateway address. You will see problem solved.
Regards,
SGTR -
i changed to settings this values
adsl_router(192.168.6.1-255.255.255.0) –------- pfsense (192.168.7.2-255.255.255.0) <<< 15 LAN PC (192.168.7.XX 255.255.255.0)
|
|
remote pc 10.0.1.6but no success
-
I have no idea why your clients worked on LAN when you had 192.168.5.* addresses on pfSense WAN and LAN. Maybe you have pfSense in transparent bridge mode?
Anyway, now you have different subnets on LAN and WAN, which is good. Hopefully the LAN clients in 192.168.7.* are working fine and can get to the internet.
In your OpenVPN server, put "192.168.7.0/24" in "Local Network/s". Then the OpenVPN client should be given a route to 192.168.7.0/24
Make sure your OpenVPN tab has a rule that passes traffic to destination 192.168.7.0/24 (or pass destination all). -
hi phil
it was my mistake sorry.
wan and lan was not same. it was 5.2 and 6.2 i was mistake from wan gateway and wan.
just. i changed ips but not success again.now system.
(wan 192.168.5.2 wangw 192.168.5.1)
adsl_router(192.168.5.1-255.255.255.0) –------- pfsense (192.168.7.2-255.255.255.0) <<< 15 LAN PC (192.168.7.XX 255.255.255.0)
|
|
remote pc 10.0.6.6from vpn client side connecting to vpnserver is OK. connecting web access OK. connecting internet from pfsense OK.
no ping and access client pc's. (firewall tab openvpn . any to any pass)
regardsipconfig
Ethernet bağdaştırıcı Yerel Ağ Bağlantısı 2:
Bağlantıya özgü DNS Soneki . . . :
Açıklama . . . . . . . . . . . . : TAP-Windows Adapter V9
Fiziksel Adres. . . . . . . . . . : 00-FF-xx-13-xx-xx
Dhcp Etkin. . . . . . . . . . . . : Evet
Otomatik Yapılandırma Etkin. . . : Evet
Bağlantı Yerel IPv6 Adresi . . . . . : fe80::cc54:cc25:9cde:cc83%cc(Tercih Edilen)
IPv4 Adresi. . . . . . . . . . . : 10.0.6.6(Tercih Edilen)
Alt Ağ Maskesi. . . . . . . . . . : 255.255.255.252
Kira Sağlanan. . . . . . . . . . : 03 Şubat 2014 Pazartesi 09:57:29
Kira Bitişi . . . . . . . . . . . : 03 Şubat 2015 Salı 09:57:28
Varsayılan Ağ Geçidi. . . . . . . :
DHCP Sunucusu . . . . . . . . . . : 10.0.6.5
DHCPv6 IAID . . . . . . . . . . . : 419495841
DHCPv6 İstemcisi DUID'si. . . . . . . . : 00-xx-00-01-19-E8-xx-xx-60-A4-xx-2B
-99-0E
DNS Sunucusu. . . . . . . . . . . : fxx0:0:0:ffff::xxx
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Tcpip üzerinden NetBIOS. . . . . . . . : EtkinEthernet bağdaştırıcı Yerel Ağ Bağlantısı:
Bağlantıya özgü DNS Soneki . . . :
Açıklama . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Fiziksel Adres. . . . . . . . . . : xx-A4-4C-xx-99-xx
Dhcp Etkin. . . . . . . . . . . . : Hayır
Otomatik Yapılandırma Etkin. . . : Evet
Bağlantı Yerel IPv6 Adresi . . . . . : fexx::294a:cc75:d957:xe2xx%11(Tercih Edlen)
IPv4 Adresi. . . . . . . . . . . : 192.168.4.174(Tercih Edilen)
Alt Ağ Maskesi. . . . . . . . . . : 255.255.255.0
Varsayılan Ağ Geçidi. . . . . . . : 192.168.4.1
DHCPv6 IAID . . . . . . . . . . . : 241214540
DHCPv6 İstemcisi DUID'si. . . . . . . . : 00-01-00-01-19-E8x-A3-xx-A40E
DNS Sunucusu. . . . . . . . . . . : 192.168.4.1
Tcpip üzerinden NetBIOS. . . . . . . . : Etkinroute list
IPv4 Yol Tablosu
Etkin Yollar:
Ağ Hedefi Ağ Maskesi Ağ Geçidi Arabirim Ölçüt
0.0.0.0 0.0.0.0 192.168.4.1 192.168.4.174 276
10.0.6.1 255.255.255.255 10.0.6.5 10.0.6.6 30
10.0.6.4 255.255.255.252 On-link 10.0.6.6 286
10.0.6.6 255.255.255.255 On-link 10.0.6.6 286
10.0.6.7 255.255.255.255 On-link 10.0.6.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.4.0 255.255.255.0 On-link 192.168.4.174 276
192.168.4.174 255.255.255.255 On-link 192.168.4.174 276
192.168.4.255 255.255.255.255 On-link 192.168.4.174 276
192.168.7.0 255.255.255.0 10.0.6.5 10.0.6.6 30
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.4.174 276
224.0.0.0 240.0.0.0 On-link 10.0.6.6 286
224.0.0.0 240.0.0.0 On-link 192.168.59.1 276
224.0.0.0 240.0.0.0 On-link 192.168.133.1 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.4.174 276
255.255.255.255 255.255.255.255 On-link 10.0.6.6 286
255.255.255.255 255.255.255.255 On-link 192.168.59.1 276
255.255.255.255 255.255.255.255 On-link 192.168.133.1 276
-
the lan pc's on the 192.168.7.x range have pfsense set as their default gateway ?
could you attempt todo the following in windows command prompt:
from VPN: tracert -d 192.168.7.X
from LANPC (when vpn is connected): tracert -d 10.0.6.6
also some diagnostics–>packet captures would be helpfull (try pinging from both ends while it is running) -
hi heper.
thats outputs
C:\Users\Live>tracert -d 192.168.7.5
En çok 30 atlamanın üstünde 192.168.7.5'e giden yolu izlemek
1 15 ms 14 ms 14 ms 192.168.5.1
2 57 ms 59 ms 39 ms 195.87.128.19
3 54 ms 44 ms 74 ms 46.234.2.17
4 * * * İstek zaman aşımına uğradı. (its mean timeout)
5 * * * İstek zaman aşımına uğradı.
6 * * * İstek zaman aşımına uğradı.
7 * * * İstek zaman aşımına uğradı.
8 * * * İstek zaman aşımına uğradı.
9 ^C
C:\Users\Live>C:\Users\xpx>tracert -d 10.0.6.6
En çok 30 atlamanın üstünde 10.0.6.6 'e giden yolu izlemek
1 * * * İstek zaman aşımına uğradı. (its mean timeout)
2 * * * İstek zaman aşımına uğradı.
3 * * * İstek zaman aşımına uğradı.
4 * * * İstek zaman aşımına uğradı.
5 * * * İstek zaman aşımına uğradı.
6 ^C -
That is very strange. It is routing from the OpenVPN client across the VPN link to pfSense, but then pfSense is sending it out the WAN 192.168.5.1 to the public internet. I can't think how that could happen, because 192.168.7.5 is on the local LAN of pfSense, so it has to be delivered directly there.
What is in Diagnostics->Routes IPv4 section on pfSense? -
hi phil its output.
and i see on ipconfig
–-------
Ethernet bağdaştırıcı Yerel Ağ Bağlantısı 2:Bağlantıya özgü DNS Soneki . . . :
Açıklama . . . . . . . . . . . . : TAP-Windows Adapter V9
Fiziksel Adres. . . . . . . . . . : 00-FF-xx-13-xx-xx
Dhcp Etkin. . . . . . . . . . . . : Evet
Otomatik Yapılandırma Etkin. . . : Evet
Bağlantı Yerel IPv6 Adresi . . . . . : fe80::cc54:cc25:9cde:cc83%cc(Tercih Edilen)
IPv4 Adresi. . . . . . . . . . . : 10.0.6.6(Tercih Edilen)
Alt Ağ Maskesi. . . . . . . . . . : 255.255.255.252
Kira Sağlanan. . . . . . . . . . : 03 Şubat 2014 Pazartesi 09:57:29
Kira Bitişi . . . . . . . . . . . : 03 Şubat 2015 Salı 09:57:28
Varsayılan Ağ Geçidi. . . . . . . : (gateway empty)
DHCP Sunucusu . . . . . . . . . . : 10.0.6.5
DHCPv6 IAID . . . . . . . . . . . : 419495841
DHCPv6 İstemcisi DUID'si. . . . . . . . : 00-xx-00-01-19-E8-xx-xx-60-A4-xx-2Bgateway is empty is it normal ?
changed openvpn gateway to default and take again tracert
C:\Users\Live>tracert -d 192.168.7.5
En çok 30 atlamanın üstünde 192.168.7.5'e giden yolu izlemek
1 28 ms 13 ms 53 ms 10.0.6.1
2 * * * İstek zaman aşımına uğradı. (timeout)
-
any suggest from specialists ?
-
Hi Everyone,
Firstly @aykiri1
I confused. Because there was one network when you started this topic. And then there are many networks (192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24 and your tunnel networks).
what are your adsl modem ip and your pfSense wan and Lan ip address? You told us that adsl modem ip changed 192.168.6.1 and you pfSense LAn ip address 192.168.7.2
hi phil
it was my mistake sorry.
wan and lan was not same. it was 5.2 and 6.2 i was mistake from wan gateway and wan.
just. i changed ips but not success again.now system.
(wan 192.168.5.2 wangw 192.168.5.1)
adsl_router(192.168.5.1-255.255.255.0) –------- pfsense (192.168.7.2-255.255.255.0) <<< 15 LAN PC (192.168.7.XX 255.255.255.0)
|
|
remote pc 10.0.6.6from vpn client side connecting to vpnserver is OK. connecting web access OK. connecting internet from pfsense OK.
no ping and access client pc's. (firewall tab openvpn . any to any pass)
regardsipconfig
Ethernet bağdaştırıcı Yerel Ağ Bağlantısı 2:
Bağlantıya özgü DNS Soneki . . . :
Açıklama . . . . . . . . . . . . : TAP-Windows Adapter V9
Fiziksel Adres. . . . . . . . . . : 00-FF-xx-13-xx-xx
Dhcp Etkin. . . . . . . . . . . . : Evet
Otomatik Yapılandırma Etkin. . . : Evet
Bağlantı Yerel IPv6 Adresi . . . . . : fe80::cc54:cc25:9cde:cc83%cc(Tercih Edilen)
IPv4 Adresi. . . . . . . . . . . : 10.0.6.6(Tercih Edilen)
Alt Ağ Maskesi. . . . . . . . . . : 255.255.255.252
Kira Sağlanan. . . . . . . . . . : 03 Şubat 2014 Pazartesi 09:57:29
Kira Bitişi . . . . . . . . . . . : 03 Şubat 2015 Salı 09:57:28
Varsayılan Ağ Geçidi. . . . . . . :
DHCP Sunucusu . . . . . . . . . . : 10.0.6.5
DHCPv6 IAID . . . . . . . . . . . : 419495841
DHCPv6 İstemcisi DUID'si. . . . . . . . : 00-xx-00-01-19-E8-xx-xx-60-A4-xx-2B
-99-0E
DNS Sunucusu. . . . . . . . . . . : fxx0:0:0:ffff::xxx
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Tcpip üzerinden NetBIOS. . . . . . . . : EtkinEthernet bağdaştırıcı Yerel Ağ Bağlantısı:
Bağlantıya özgü DNS Soneki . . . :
Açıklama . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Fiziksel Adres. . . . . . . . . . : xx-A4-4C-xx-99-xx
Dhcp Etkin. . . . . . . . . . . . : Hayır
Otomatik Yapılandırma Etkin. . . : Evet
Bağlantı Yerel IPv6 Adresi . . . . . : fexx::294a:cc75:d957:xe2xx%11(Tercih Edlen)
IPv4 Adresi. . . . . . . . . . . : 192.168.4.174(Tercih Edilen)
Alt Ağ Maskesi. . . . . . . . . . : 255.255.255.0
Varsayılan Ağ Geçidi. . . . . . . : 192.168.4.1
DHCPv6 IAID . . . . . . . . . . . : 241214540
DHCPv6 İstemcisi DUID'si. . . . . . . . : 00-01-00-01-19-E8x-A3-xx-A40E
DNS Sunucusu. . . . . . . . . . . : 192.168.4.1
Tcpip üzerinden NetBIOS. . . . . . . . : Etkinroute list
IPv4 Yol Tablosu
Etkin Yollar:
Ağ Hedefi Ağ Maskesi Ağ Geçidi Arabirim Ölçüt
0.0.0.0 0.0.0.0 192.168.4.1 192.168.4.174 276
10.0.6.1 255.255.255.255 10.0.6.5 10.0.6.6 30
10.0.6.4 255.255.255.252 On-link 10.0.6.6 286
10.0.6.6 255.255.255.255 On-link 10.0.6.6 286
10.0.6.7 255.255.255.255 On-link 10.0.6.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.4.0 255.255.255.0 On-link 192.168.4.174 276
192.168.4.174 255.255.255.255 On-link 192.168.4.174 276
192.168.4.255 255.255.255.255 On-link 192.168.4.174 276
192.168.7.0 255.255.255.0 10.0.6.5 10.0.6.6 30
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.4.174 276
224.0.0.0 240.0.0.0 On-link 10.0.6.6 286
224.0.0.0 240.0.0.0 On-link 192.168.59.1 276
224.0.0.0 240.0.0.0 On-link 192.168.133.1 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.4.174 276
255.255.255.255 255.255.255.255 On-link 10.0.6.6 286
255.255.255.255 255.255.255.255 On-link 192.168.59.1 276
255.255.255.255 255.255.255.255 On-link 192.168.133.1 276 -
hi SGTR
my second lan and second wan interfaces not important becasue i want to access only lan1 (LAN)
ofcourse i made changes when get info from someone then test by test.
(wan=192.168.6.2 wangw=192.168.6.1)
modem ip 192.168.6.1–-------------------------pfsense (lan 192.168.7.2)------------------------------ clients 192.168.7.xx
|
|
openvpn client 10.0.6.6firewall rule opnvpn any to any and any port pass added
openv vpn client connecing to server get ip 10.0.6.6 web access pfsense OK. internet OK. lan access NOKthx
-
when i using client export (with execute setup) i must change ip adress
this client openvpn conf
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 192.168.6.2 1194 udp
lport 0
verify-x509-name "xxxxx" name
auth-user-pass
pkcs12 secure-udp-1194-vpn1.p12
tls-auth secure-udp-1194-vpn1-tls.key 1
ns-cert-type server
comp-lzothis red value i changing to wan ip adress.
what is the problem ? -
pfsense sets the interface ip in the client-config … in your case this is probably 192.168.....
-
i fixed it. i changed lan and lan2 ip's 1 to 2 2 to 1 then access now. i think problem is push route. not sure.
thanks all.some pc's not pinging from vpnclient. and firewall disabled. must i make any ?
-
if "some" pc's are not working and others in the same subnet are working, then the ones that don't work, probably have a wrong gateway set in their config or have a local firewall