Unable to ping from OpenVPN endpoint to LAN network
-
I am sure this has been asked many many times but I am stuck right now.
I am running pfSense 2.2.4 with OpenVPN.
I setup a new access server so I can access my network on the road.
My configuration is pretty generic, I am running in tunnel mode. My tunnel subnet is 10.1.0.0/28 (14 usable).
Basically the issue I am running into is I connect to my VPN from an outside WIFI connection and the VPN hooks up no sweat. I get my IP address and everything looks to be working. Then I try to ping something on my LAN (10.0.0.0/24) like my desktop (10.0.0.101) and it times out. Next I tried pinging the other side of the VPN tunnel (10.1.0.1) and it also times out. So I found that very confusing.
My first idea was to be sure the firewall was not blocking anything. For troubleshooting right now I opened the VPN interface all the way. I have permit any any on the OpenVPN section for both IPv4 and IPv6 even though I only have IPv4 configured at this time. After that it will still no ping, I also tried to ping from my desktop to my endpoint and I got no repsonse either. Next I looked at the firewall system logs and I am seeing the firewall actively blocking ICMP from the VPN source address to the LAN destination address. As far my LAN rules are built the only odd thing I have is my permit rules have an exception that denies any traffic from my LAN to go to my work interface which have an IP phone and hardware VPN device hooked to. But I have never had any trouble before with similar setups.
I am lost on this one. According to the way it's configured everything "should be" working but it's not. I am not sure why the VPN is being actively blocked with a permit any any rules in place on the firewall section for the VPN.
Can anyone share some insight into this?
-
Show us your OpenVPN rule.
-
Here is the firewall rules I have setup (see attached). AJG net is my DMZ interface for work. My work provisioned me an Aruba networks VPN device which hangs on the interface. None of my personal network interface are allowed to access it. I do this since I do things that would be bad if they popped up on their network.
-
Great except we have no idea what's in that alias.
-
Sorry I don't follow you? What additional info do you need?
-
Did you check the firewall software on the hosts themselves?
If that's not it I guess you'll have to post more details about how you set up the VPN.
-
-
Oh sorry…
My LAN subnet is 10.0.0.0 / 24
My OpenVPN subnet is 10.1.0.0 / 28
My AJG subnet is 10.2.0.0 /24 -
Here is what I am seeing in the firewall log.
 -
And when you click the red X what does it say? Obviously there's something else at play other than the rules you've posted. Try not to crop so much so you give more context, like the interface the rules are on, etc.
-
Wow first let me say… I had no idea the X was clickable... :o
Second here is what it said.
 -
That does not make 100% sense to me since I thought I opened up the firewall on the OpenVPN interface 100%.
-
Apparently not. What OpenVPN tabs and assigned interface tabs do you have and what are the rules on them?
-
I found out what I was going wrong with the firewall. There was no explicit allow all so if it did not match it blocked it.
-
Yeah that's generally how it works.
-
Normally I am pretty good at setting this stuff. Mind you I am a little rusty. But this one has me stumped.
My LAN can ping the OpenVPN interface on the router. But I cannot ping any VPN hosts. Also the VPN host while still connected cannot ping anything except itself. It can't even ping the router VPN endpoint.
-
You might not be able to ping the VPN tunnel interfaces. That is normal.
Instead of giving gobbledygook like this:
My LAN can ping the OpenVPN interface on the router. But I cannot ping any VPN hosts. Also the VPN host while still connected cannot ping anything except itself. It can't even ping the router VPN endpoint.
Give us something we can work with. Specific IP addresses, interface addresses, interfaces, etc.
I have NO IDEA what you are talking about when you say "VPN endpoint."
-
Ok I have made a huge leap in troubleshooting progress. I am now able to ping from my VPN client which is my laptop (10.1.0.2) to my desktop (10.0.0.101) on my LAN. Sadly my way of accomplishing this was to erase my OpenVPN server and client configurations and reload them. After re-configuring the OpenVPN server I noticed that it refused to start the service. I took a look at the log file and found it was stating it could create the interface it needed to host the server (ovpns1).
Part of the previous issue looks OpenVPN was not able to get access to the Windows routing table to add the VPN route. I ran the client in admin mode and it was able to add the route.
As it stands right now my laptop (10.1.0.2) is able to ping anything on 10.0.0.0/24 subnet. the issue now is nothing on 10.0.0.0/24 can ping my laptop over the VPN.
I have checked the firewall logs and I am no longer seeing any issues with the firewall actively blocking my ping attempts.
When I do a traceroute from my desktop the trace makes it to the gateway (10.0.0.1, pfSense) but stops after that.
C:\Users\Ian>tracert 10.1.0.2 Tracing route to 10.1.0.2 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms gateway.solignis.com [10.0.0.1] 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out.Here is the ping test from my desktop (10.0.0.101);
C:\Users\Ian>ping 10.1.0.2 -t Pinging 10.1.0.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out.Here is the traceroute from my laptop when connected to the VPN;
C:\WINDOWS\system32>tracert 10.0.0.101 Tracing route to SPACECRATE [10.0.0.101] over a maximum of 30 hops: 1 99 ms 57 ms 52 ms 10.1.0.1 2 54 ms 53 ms 63 ms SPACECRATE [10.0.0.101] Trace complete.Here is the ping test from my laptop when connected to the VPN;
C:\WINDOWS\system32>ping 10.0.0.101 Pinging 10.0.0.101 with 32 bytes of data: Reply from 10.0.0.101: bytes=32 time=65ms TTL=127 Reply from 10.0.0.101: bytes=32 time=68ms TTL=127 Reply from 10.0.0.101: bytes=32 time=51ms TTL=127 Reply from 10.0.0.101: bytes=32 time=50ms TTL=127 Ping statistics for 10.0.0.101: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 50ms, Maximum = 68ms, Average = 58msI have attached my current firewall rules.
-
Check the firewall on your laptop.
In most cases, the assets on the main, server LAN will not have to make connections to the client.
-
Disable the goddamn Windows "firewall" before testing.
