Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to site problem

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmarc
      last edited by

      Hello,

      I've setup a site to site openvpn.

      PfSense 2.3.1

      Main office has a static IP
      Main office ip range 192.168.175.0/24
      Remote office has a static ip
      Remote office ip range 192.168.185.0/24

      Setup the server on the main office with the following settings
      prot: UDP
      port: 1195
      Shared key
      IPv4 tunnel Network: 192.168.177.0/24
      IPv4 Remote Network: 192.168.185.0/24

      Setup client on remote site with the following settings
      prot: UDP
      Server host : static ip from main office
      port: 1195
      Shared key
      IPv4 tunnel network: 192.168.177.0/24
      IPv4 Remote Network: 192.168.175.0/24

      Remote site can connect to ressources on Main office (ping, smb, ftp…)
      Main office cannot ping or connect to remote office's network

      Opened port 1195 in the openvpn rules on both sides

      What am i missing here?

      Thanks

      1 Reply Last reply Reply Quote 0
      • P
        praecorloth
        last edited by

        A route (or lack thereof) on the remote office side? Is pfSense the default gateway for machines in the remote office? If not, does the actual default gateway have a route pointing traffic for 192.168.175.0/24 over to your pfSense box? Make sure to check the resources in the remote office. Sometimes people get creative with "security" and don't assign a default gateway to servers/devices that shouldn't be accessing the Internet.

        I would also do a packet capture on the remote office pfSense to verify that the packets from the main office are indeed getting that far. Then a packet capture on a resource as you attempt to access it from the main office.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          You don't open the OpenVPN port on the OpenVPN rules. You pass the traffic you want to allow from the Remote Networks coming in through the tunnel.

          You need to pass the UDP/1195 on the Server's WAN so the client can connect to the server to establish the tunnel. This has obviously been done or the tunnel would not be coming up.

          You might want to start with rules like this on both sides.

          If you do that and still can't contact hosts on one side, it is probably the local firewall on the target host (ie Windows Firewall).

          ![Screen Shot 2016-07-15 at 12.02.23 AM.png](/public/imported_attachments/1/Screen Shot 2016-07-15 at 12.02.23 AM.png)
          ![Screen Shot 2016-07-15 at 12.02.23 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-07-15 at 12.02.23 AM.png_thumb)

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • J
            jmarc
            last edited by

            Now i'm getting a bit further.

            Remote office can access head office's ressources except for the freepbx IAX2 trunk

            Head office can access some ressources. Here's what's still not working or working.

            Head office can connect to remote office's pfsense gui 192.168.185.1
            Head office can't connect to remote office's freepbx (185.8) or openMediaVault (185.49)
            Remote office can connect to head office's freepbx and pfsense gui.

            I can see in the fw logs that my pc 192.168.175.50:52764 pass Freepbx webgui 192.168.185.80:80

            Thanks

            ![Remote Lan rules.png](/public/imported_attachments/1/Remote Lan rules.png)
            ![Remote Lan rules.png_thumb](/public/imported_attachments/1/Remote Lan rules.png_thumb)
            ![Remote openvpn rules.png](/public/imported_attachments/1/Remote openvpn rules.png)
            ![Remote openvpn rules.png_thumb](/public/imported_attachments/1/Remote openvpn rules.png_thumb)

            1 Reply Last reply Reply Quote 0
            • J
              jmarc
              last edited by

              I've ran Wireshark on my system and the "expert" information shows reassembly error protocol tcp

              Attached some screenshots

              Also, packet capture between the two freepbx shows bad checksum only from remote site to head office.

              192.168.185.8.4569 > 192.168.175.21.4569: [bad udp cksum 0xe996 -> 0xb1ab!] UDP, length 14

              192.168.175.21.4569 > 192.168.185.8.4569: [udp sum ok] UDP, length 14

              ![Wireshark capture.png](/public/imported_attachments/1/Wireshark capture.png)
              ![Wireshark capture.png_thumb](/public/imported_attachments/1/Wireshark capture.png_thumb)
              Expert.png
              Expert.png_thumb

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.