OpenVPN clients can only access some LAN clients
-
When testing I'm connected via my phone - All other network devices (Ethernet/Wifi) turned off.
 -
My initial thought is that its some sort of problem with the scope of the addresses your client device (phone) is using.
No chance you can try it from some other network?
(BTW - 192.168.10.0/24 is the same default setting for alot of routers - not as bad as 192.168.1.0/24)
-
IP assigned by mobile hotspot: 149.254.181.53
Should add that I'm running the latest 2.2-RELEASE (amd64)
built on Thu Jan 22 14:03:54 CST 2015
FreeBSD 10.1-RELEASE-p4 -
I've tried it both on a mobile 3G hotspot and my home broadband - Both with the same results :/
-
I know for sure this problem can be caused if there is a firewall running on the linux servers with a firewall up but a allow 192.168.10.0/24 rule.
From the LAN all would work but from openvpn it would not work.
Can you take another look at that?
-
Hi kejianshi -
Have double checked and definitely no firewalls running - In fact one of them (192.168.10.14) is a printer that's the most insecure thing on the network - Same ping/TCP socket issues.
Ta,
Neil
-
whats on 192.168.10/24 and whats on 192.168.1.0/24?
-
Do the devices you cannot reach have pfSense set as their default gateway?
-
The unreachable devices do indeed have 192.168.1.1 set as their default gateway, and their subnet masks are correct at 255.255.0.0 (The same as the reachable devices)
The plot thickens -
I've got another machine on the network (No VPN, connected via ethernet) and ssh'd to one of the "unreachable" machines.
I then connected to the VPN on another machine, and noted it's VPN IP (192.168.9.6)
I then ran tcp dump on the" unreachable" machine and telnetting to port 22 from the VPN clientI can see packets from my VPN Client IP hitting the host, so something is stopping a full TCP handshake from occurring!?
#handscracher
What next!?
- Neil
-
The unreachable devices do indeed have 192.168.1.1 set as their default gateway, and their subnet masks are correct at 255.255.0.0 (The same as the reachable devices)
According to the information in your first post, that should be 255.255.255.0.
-
Reading this, I am confused by the pfSense LAN IP of 192.168.1.1 (/24 ?) and then all the talk of devices 192.168.10.* (/24 or /16 mentioned?)
Are there 2 LANs (LAN 192.168.1.0/24 and OPT1 192.168.10.0/24) or just a single big LAN 192.168.0.0/16 ?
What is the netmask on each device?
What is the default gateway on each device?
And what tunnel network is used for the OpenVPN?
-
Hi Phil -
It's one single big LAN, but I've used DHCP to carve up the address space:
192.168.0.0/24 for Network devices (Wifi Access points, configured via DHCP Static mappings)
192.168.9.0/24 for VPN Clients (Configured via OpenVPN)
192.168.10/0/24 for permanent devices (PC's, printers, and linux hosts, configured via DHCP Static mappings)
192.168.100.0/24 for "Transient" clients (Laptops connected over wifi/ethernet)The default gateway is 192.168.1.1 on all devices.
The netmask is 255.255.0.0 on all devices
The OpenVPN tunnel network 192.168.9.0/24Thanks again for your help,
Neil
-
So you really have LAN 192.168.0.0/16 - you have just allocated some pieces of that address space for convenience/convention to particular groups of devices. Personally I would not use such a large (all) of the 192.168 space for a single LAN with not so many devices. Also it will almost always cause a conflict with some local subnet that your OpenVPN clients are in when they "dialup".
I presume you are using OpenVPN "tun" (tunnel) mode here. In that case the tunnel network MUST NOT overlap the LAN network.
For a start, change the tunnel network to some other private address space - e.g. 10.123.45.0/24 (pick a "random" subnet in the "10" space). Then things might start to work.
Then I would move the LAN away from 192.168.0.0/24 and 192.168.1.0/24 - best to move it right away from 192.168 - that will minimise conflict with other device default settings at client ends.
-
Hi Phil -
I still don't understand why, but setting the OpenVPN tunnel network to 10.0.8.0/24 did the trick!
Thanks everyone for your help - Much appreciated!
Ta,
Neil
-
Unless you are a network supergenius, keep things on /24s just for simplicity until you really have a great understanding of subnets and subnet masks.
