HOWTO: Pfsense 2.0.1 - OpenVPN Site 2 MultiSite PKI
-
Hello
I followed this and i have my Site2Site running, but have a problem i'm unable to resolve.
I can access from the client side the server side, but from server side to client computers (not even ping).
I've checked the rules, etc… and don't find the solution.
If i ssh from server side to client side OpenVPN IP (10.0.10.6) i get an ssh session from a server's side computer into client side pfSense box, so it's working but can't access LAN.
Anyone knows what i am missing?
TIA
Best
-
On the server side, does pfSense have a route to the client LAN (Diagnostics->Routes)?
What happens when you traceroute to a client LAN device? Where do the responses stop?
Is the client-end pfSense the main router for the client LAN? (If yes, then the clients should have it as their default gateway and should work. If no, then the clients need to know the route back, or the main client router needs to know the route to the pfSense.}
Does the client pfSense have firewall rule/s on OpenVPN allowing the incoming traffic?
Do the LAN clients have a firewall preventing ping/traceroute?
If you are really stuck finding the error, post OpenVPN configs and rules and details of what the client machines are. Someone can spot the missing piece of the puzzle… -
Hello Phil, thanks for your answer, below are the replies
@phil.davis:On the server side, does pfSense have a route to the client LAN (Diagnostics->Routes)?
~~No, i don't see it in the server side, but yes in the client side, i think is the one that says:
Dest: 172.16.0.0/21 - Gw: 10.0.10.5 - UGS - 0 - 320 - 1500 - Netif: ovpnc1
Really? How i get the one in the server side?~~
UPDATE:
I got the route in the server side by changing the Advanced configuration to this format:
route 192.168.235.0 255.255.255.0;push "route 172.16.0.0 255.255.248.0";
As i found in: http://forum.pfsense.org/index.php/topic,12888.0.html
I have
Dest: 192.168.235.0/24 - Gw: 10.0.10.2 - UGS - 0 - 0 - 1500 - Netif: ovpns1
But still no ping or connectivity from server to client side.
What happens when you traceroute to a client LAN device? Where do the responses stop?
This: it goes nowhere…
traceroute 192.168.235.150
traceroute to 192.168.235.150 (192.168.235.150), 30 hops max, 60 byte packets
1 * * *
2 * * *
[Trimmed….]
29 * * *
30 * * *Is the client-end pfSense the main router for the client LAN? (If yes, then the clients should have it as their default gateway and should work. If no, then the clients need to know the route back, or the main client router needs to know the route to the pfSense.}
Yes, it is
Does the client pfSense have firewall rule/s on OpenVPN allowing the incoming traffic?
Yes on OpenVPN Tab an accept rule:
Pass / Not disabled /OpenVPN / Proto: Any / Source: Any / Dest: Any
Do the LAN clients have a firewall preventing ping/traceroute?
I think no because i can ping them from the client's side pfSense shell, also i ran a network scan from the server side to the client subnet with Nmap and found nothing. Also i know there are some computers with services opened (MySQL, RDP, etc…) that are not accesible from server side.
If you are really stuck finding the error, post OpenVPN configs and rules and details of what the client machines are. Someone can spot the missing piece of the puzzle…
If you think it's necesary with the info i wrote before i can collect it, of course…
Thanks again,
Best,
-
The traceroute should at least get a 1st hop reply from its local (server-side) pfSense.
Can you traceroute to 10.0.10.2 (client end of OpenVPN link)?
Maybe there is a firewall rule on the server-side pfSense LAN that is blocking traffic to the client-side LAN (192.168.235.0/24)? -
The traceroute should at least get a 1st hop reply from its local (server-side) pfSense.
Can you traceroute to 10.0.10.2 (client end of OpenVPN link)?
Maybe there is a firewall rule on the server-side pfSense LAN that is blocking traffic to the client-side LAN (192.168.235.0/24)?Hello
Thanks to your post i've solved it. I explain how and perhaps it helps some one or you can tell me the right solution if i am wrong.
I reviewed my LAN rules and "noted" the last is the one that permits traffic (before there are some limiters, etc…), BUT i have a failover balancer (3 providers, WAN, OPT1 and OPT2).
Proto: * / Src: LAN / Port: * / Dst: * / GW: FailoverWANOPT1OPT2
I Guessed this was a problem, so i created a rule at the very top that says:
Proto: * / Src: LAN / Port: * / Dst: 192.168.235.0/24 / GW: *
After this, it works!
Is this the right solution or there is another one?
-
Yes, the policy routing to a gateway group was explicitly directing general traffic to the WAN links in the gateway group. The ping to the OpenVPN tunnel remote end worked because it is seen as a locally-connected subnet, and so can is delivered directly without the policy-routing rule getting a chance to have effect.
I like to make an alias for all my internal intranet address space (e.g. if I have all my internal addresses broken up within 10.42.0.0/16 then make an alias "Company-Intranet" for that whole "super-net"). Then on OpenVPN I can pass all with source "Company-Intranet", destination "Company-Intranet" if I just want to let all internal traffic flow. On policy routing to the external internet I can use source LANnet destination !"Company-Intranet" - that avoids accidentally pushing internal network packets out to the external internet. -
Yes, the policy routing to a gateway group was explicitly directing general traffic to the WAN links in the gateway group. The ping to the OpenVPN tunnel remote end worked because it is seen as a locally-connected subnet, and so can is delivered directly without the policy-routing rule getting a chance to have effect.
I like to make an alias for all my internal intranet address space (e.g. if I have all my internal addresses broken up within 10.42.0.0/16 then make an alias "Company-Intranet" for that whole "super-net"). Then on OpenVPN I can pass all with source "Company-Intranet", destination "Company-Intranet" if I just want to let all internal traffic flow. On policy routing to the external internet I can use source LANnet destination !"Company-Intranet" - that avoids accidentally pushing internal network packets out to the external internet.Very good idea, i'll implement it.
Thanks again
Best,
-
I have more than one dc. i'm just giving a basic map of what i'm trying to do. forget about what the internal network is doing and if i should need more equipment
i just need to be able to extend the lan as explained but so that all locations can communicate with each other and still be on the same lan network. as i said i had it setup and each one can communicate with the main which is the open vpn server and the main can talk to all but the others need to talk to each other as well
-
I have more than one dc. i'm just giving a basic map of what i'm trying to do. forget about what the internal network is doing and if i should need more equipment
i just need to be able to extend the lan as explained but so that all locations can communicate with each other and still be on the same lan network. as i said i had it setup and each one can communicate with the main which is the open vpn server and the main can talk to all but the others need to talk to each other as well
Wrong thread, dude. Plus, you will break everything with overlapping nets on multiple sites. Drop this horrible idea.
-
Hello,
I follow the step, everything is clear and working thank you verry much!!
I have just problem, the intra client communication is possible?
Client 192.168.2.1 –---> communication ok with Server 192.168.1.1
Client 192.168.3.1 -----> communication ok with Server 192.168.1.1
Client 192.168.2.1 -----> communication not ok with client 192.168.3.1Thank you