Net30 Topology: No incoming traffic
-
Hello,
I'm trying to connect to a remote network via OpenVPN from a pfSense machine.
The address space of the remote net is 10.66.22.0/24, the OpenVPN Server provides a net30 topology with addresses 192.168.101.201 (VPN Server) and 192.168.101.202 (pfSense).
I useroute-nopull
in the client config to override the routes provided by the server and set a route manually:
route 10.66.22.0 255.255.255.0
The whole client config is:
client
dev tun
proto tcp
remote server.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cert.crt
key client.key
comp-lzo
verb 3
route-nopull
topology net30
route 10.66.22.0 255.255.255.0Connecting and authentification works fine and also the route is set correctly:
[2.3.4-RELEASE][user@PFSense.default.net]/home/user: route get 10.66.22.101
route to: 10.66.22.101
destination: 10.66.22.0
mask: 255.255.255.0
gateway: 192.168.101.201
fib: 0
interface: ovpnc1
flags: <up,gateway,done,static>recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1500 1 0</up,gateway,done,static>But pings to that host are not being answered, at least the answer does not reach the ovpnc1 interface.
I tried the same setup with my linux laptop, which works fine, pings are being answered and other traffic is handled correctly as well.
The openvpn log in pfSense does not reveal anything unusual and when comparing the traffic on the tun devices during ping (laptop vs. pfsense), the only difference is
that there are answers on the laptop.
The requests seem to be equal (src 192.168.101.202 and dest 10.66.22.101). I only use one of both VPN clients at a time.Unfortunately, I do not have access to neither the OpenVPN server, nor the remote (10.66.22.0) network.
Do I have to add some special firewall rules on the pfSense machine?
Thanks in advance for any advices!
-
How did you try the ping?
Try a ping from pfsense. Diagnostic > Ping with default source -
Hello,
unfortunately this provides the same result (100% package loss) as from the command line, independent of the source address I choose.
-
Have you set outbound NAT rules for the VPN clients interface or did pfSense set them automatically?
Please post a screenshot if you're not sure. -
No, there are no VPN related NAT outbound rules. (Automatic outbound NAT rule generation)
There are only two WAN autogenerated rules, with source 127.0.0.0/8.Are there outbound NAT rules required? At the moment, the pfSense machine is not yet used as a router, an I try to access the remote network from the pfSense machine directly.
-
Have you even assigned an interface to the vpn client?
-
yes
edit: there are two interfaces, WAN and LAN.
The pfsense machine lies in a microsoft azure network.
The WAN interface is connected to the cloud network and the LAN interface is assigned to the OpenVPN client. -
the LAN interface is assigned to the OpenVPN client.
What does this mean?
You're running a OpenVPN client on pfSense, right?
So you have to assign an interface to the OpenVPN clients instance.
Interfaces > assign
select the OpenVPN client instance (e.g. ovpnc1) and hit Add
Open the new interface and enable it, you may also assign a custom name and save it.By default pfSense generates outbound NAT rules automatically when you do that.
-
You're running a OpenVPN client on pfSense, right?
So you have to assign an interface to the OpenVPN clients instance.
Interfaces > assign
select the OpenVPN client instance (e.g. ovpnc1) and hit Add
Open the new interface and enable it, you may also assign a custom name and save it.Yes, this is what I did.
I deleted and recreated the interface as you described to be sure.
But no outbound NAT rules are generated. -
So add it by yourself.
Switch the outbound NAT rule generation mode to Hybrid.
Then add rules to the OpenVPN clients interface for LAN network and pfSense comparably to the existing ones for WAN.One with
interface = <openvpn clients="" interface="">source = LAN net
Other options at the default values.a second with
interface = <openvpn clients="" interface="">source = 127.0.0.0/8</openvpn></openvpn> -
Okay, by LAN net you mean the local network of my pfSense machine?
Because LAN is also the name of the interface which is associated with the VPN, while the interface called "WAN" is associated to the local network (confusing, I know..)I attached a screenshot of the current configuration
-
Yes, pfSense uses this notation. "LAN net" is the network assigned to the LAN interface in firewall rules. In the outbound NAT rules the network has to be entered manually.
However, the network in that rule has to be that one from which you want to access the devices behind the vpn (the internal network, obviously the WAN network in your case=If you're accessing from WAN interface, ensure that you've unchecked "block private networks" in the WAN interface settings and that you have a firewall rule in place on WAN interface to permit the access.
-
Hmm, even with rules that allow everything, still no success..