2 instances, cannot ping local machines through first vpn
-
in firewall/rules/openvpn
for IPV4 I got a * * * * * rule created by openvpn wizard
I also tested ssh connections, it does not work
I tried adding a * * * * LAN rule as a test on both firewall, but with no luck
I dont see any entry in the logs concerning the ip I try to access
-
is the traffic in the firewall log blocked ? cos I added 2 rules LAN
source 192.168.2.0/24
destination 192.168.1.0/24and
source 192.168.1.0/24
destination 192.168.2.0/24now the entries concerning my http requests on 192.168.1.23 dont show up anymore in the log, but I still cannot access it via firefox
also something weird: in the logs, port 80 is the source port while it should be the destination port
-
anyone ?
please this is a serious issue and I really need help on this one
thanks
-
So what tells the filter log?
Post a screenshot, please.Also post your clients routing table.
-
bellow are my fwal rules, route print and filter log on second pfsense
as mentioned before it really seems odd that the port 80 is at the source and not the destination
on the first pfsense(VPN)
on the second pfsense
Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::7d8b:d819:a21a:5440%19 IPv4 Address. . . . . . . . . . . : 192.168.2.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : ***************.net Link-local IPv6 Address . . . . . : fe80::249d:c73d:286b:eac1%11 IPv4 Address. . . . . . . . . . . : 172.16.27.168 Subnet Mask . . . . . . . . . . . : 255.255.255.128 Default Gateway . . . . . . . . . : 172.16.27.254 Ethernet adapter VMware Network Adapter VMnet1: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::1813:2fe0:5bcb:1930%16 IPv4 Address. . . . . . . . . . . : 192.168.88.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter VMware Network Adapter VMnet8: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::f435:d6ac:24e4:15ab%17 IPv4 Address. . . . . . . . . . . : 192.168.29.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . :=========================================================================== Interface List 19...00 ff 28 05 3d 13 ......TAP-Windows Adapter V9 11...88 51 fb 40 a4 b3 ......Intel(R) 82579LM Gigabit Network Connection 16...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1 17...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8 1...........................Software Loopback Interface 1 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.16.27.254 172.16.27.168 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.16.27.128 255.255.255.128 On-link 172.16.27.168 266 172.16.27.168 255.255.255.255 On-link 172.16.27.168 266 172.16.27.255 255.255.255.255 On-link 172.16.27.168 266 192.168.1.0 255.255.255.0 192.168.2.1 192.168.2.2 20 192.168.2.0 255.255.255.0 On-link 192.168.2.2 276 192.168.2.2 255.255.255.255 On-link 192.168.2.2 276 192.168.2.255 255.255.255.255 On-link 192.168.2.2 276 192.168.29.0 255.255.255.0 On-link 192.168.29.1 276 192.168.29.1 255.255.255.255 On-link 192.168.29.1 276 192.168.29.255 255.255.255.255 On-link 192.168.29.1 276 192.168.88.0 255.255.255.0 On-link 192.168.88.1 276 192.168.88.1 255.255.255.255 On-link 192.168.88.1 276 192.168.88.255 255.255.255.255 On-link 192.168.88.1 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.2.2 276 224.0.0.0 240.0.0.0 On-link 192.168.88.1 276 224.0.0.0 240.0.0.0 On-link 192.168.29.1 276 224.0.0.0 240.0.0.0 On-link 172.16.27.168 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.2.2 276 255.255.255.255 255.255.255.255 On-link 192.168.88.1 276 255.255.255.255 255.255.255.255 On-link 192.168.29.1 276 255.255.255.255 255.255.255.255 On-link 172.16.27.168 266 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 172.16.27.254 Default =========================================================================== IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 19 276 fe80::/64 On-link 16 276 fe80::/64 On-link 17 276 fe80::/64 On-link 11 266 fe80::/64 On-link 16 276 fe80::1813:2fe0:5bcb:1930/128 On-link 11 266 fe80::249d:c73d:286b:eac1/128 On-link 19 276 fe80::7d8b:d819:a21a:5440/128 On-link 17 276 fe80::f435:d6ac:24e4:15ab/128 On-link 1 306 ff00::/8 On-link 19 276 ff00::/8 On-link 16 276 ff00::/8 On-link 17 276 ff00::/8 On-link 11 266 ff00::/8 On-link =========================================================================== Persistent Routes: Nonethe filter log on the second pfsense
apparently the adress I try to ping( 192.168.1.23) is comming back
-
Your firewall log is showing 192.168.1.23 trying to answer, but its going through your second pfsense so this traffic is out of state, so yeah it would be blocked.
So we are all clear what your doing.. The attached is your network? And what your trying to do.
What is the gateway for this server?
As I tried to explain before.. If your vpn user is coming in pfsense 1 and has a IP address of 192.168.2.x, for server to answer it will need to know to talk to pfsense 1 to talk to 192.168.2/? Or it will need to use pfsense 1 as its default gateway.
For vpn user to talk to pfsense 2, its lan rules will have to allow access from 192.168.2/? And it will need to know to get to back to 192.168.2.x it needs to talk to pfsense 1.
-
you told me to set a static route so 192.168.1.23 would reply vi vpn (192.168.1.1) instead of its default gateway (192.168.1.2)
I created that route, so the ping is working… but not other protocols, so is it not a firewall rule issue ? (shouldn't be since it's all local communications, even for the vpn)
maybe my setup is not right, but it looks pretty straightforward, am I missing something ?
apparently only ping modifies the usage of the static route
just found out in the doc, when using VPN, one should not use static routes but network definitions
https://doc.pfsense.org/index.php/Static_Routes
"Never add static routes for networks reachable via OpenVPN. Such routes are managed by OpenVPN itself using Remote Network definitions, not static routes."but it does not give more details…
-
The doc you mentioned is meant for VPN and static route on a unique node not on different ones.
However, yes, in your case the static route has to be set to each LAN host you want to reach to work properly. If these are only the mentioned two hosts this is not a big work.
-
Or outbound NAT on the 192.168.1.1 interface so connections from the VPN clients to LAN hosts masquerade as source IP 192.168.1.1. If you need to identify what OpenVPN client is making the connections you could use a range of IP addresses, VIPs, and 1:1 NAT.
-
sudo route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1
works like a charm
so apparently pfsense2 receives the packets returning from 192.168.1.23
and cannot send them to the pfsense1 although a lan to lan full allowing rule is in place
not nice but efficient :-)
also I use a config pusher so in case of more machines I can still push that rule (I guess, gonna check that out)thanks for your wonderfull support everyone
