Site-to-site

johnied

In the NAT rule the source should be any.

Changed! Didn't notice that one.

I am attaching from the client both the LAN rules and the client VPN interface.

But how do I permit traffic between the two interfaces(LAN interface and VPN assigned interface)?
Thinking out loud, this could be the solution so that the CLIENT's LAN communicates with the SERVER's LAN.

Of course this does not work the other way around, but it would be a start.

Thank you.

![CLIENT LAN INTERFACE.png](/public/imported_attachments/1/CLIENT LAN INTERFACE.png)
![CLIENT LAN INTERFACE.png_thumb](/public/imported_attachments/1/CLIENT LAN INTERFACE.png_thumb)
![CLIENT VPN INTERFACE.png](/public/imported_attachments/1/CLIENT VPN INTERFACE.png)
![CLIENT VPN INTERFACE.png_thumb](/public/imported_attachments/1/CLIENT VPN INTERFACE.png_thumb)

viragomann

Traffic is permitted by filter rules on the firewall > rules > interface tab. The traffic is controlled on the incoming interface.
So since you have a rule on openvpn interface which allow any from any to any, all devices connected to this interface have access to anywhere. So this rule permits also the access from the vpn servers LAN to the clients LAN.
However, on servers site this traffic is also controlled by rules on the LAN interface.

johnied

Yes but since I have a LAN rule on both sides that allows any to any,with protocol any, why can't I ping the other network?

Should I define any mysterious gateway perhaps?

viragomann

The gateways are already set by OpenVPN and are shown in the routing tables.

I already suggested to use packet capture for troubleshooting. For instance take a capture on the client on the OpenVPN interface, set the protocol to ICMP, start it and try a ping from the server to a LAN host behind the client. After stopping you should see the packets. Then try a ping from a servers sites LAN device. I you still see the packets, change the interface to LAN and check if you see the ping requests and the responses from the LAN device.

johnied

OK, while I was pinging from server's LAN (pinging from VPN's interface works ok), I packet captured client's VPN interface (ICMP only) and indeed I captured packets. But when I captured LAN interface no packets were recieved.

So in order to be clear:
SERVER PING from VPN INTERFACE–-->CLIENT packet capture on VPN INTERFACE

16:30:11.577687 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59656, length 8
16:30:11.581641 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17796, length 8
16:30:11.581667 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17796, length 8
16:30:11.633149 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 59656, length 8
16:30:12.078581 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59657, length 8
16:30:12.080301 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17797, length 8
16:30:12.080326 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17797, length 8
16:30:12.250552 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 59657, length 8
16:30:12.580604 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59658, length 8
16:30:12.587870 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17798, length 8
16:30:12.587892 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17798, length 8

It seems to reply but my ping fails (100% PACKET LOSS)

SERVER PING from LAN INTERFACE ---->CLIENT packet capture on VPN INTERFACE

18:07:04.700947 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 29354, length 8
18:07:04.700969 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 29354, length 8
18:07:04.820259 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 9629, length 8
18:07:04.875810 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 9629, length 8

Exactly the same. It seems to reply but ping fails.

SERVER PING from LAN INTERFACE ---->CLIENT packet capture on LAN INTERFACE
Nothing gets captured.

SERVER PING from VPN INTERFACE ---->CLIENT packet capture on LAN INTERFACE
Nothing gets captured.

I am posting the LAN Firewall Rules on Client.

So if rules are allow all from any to any protocol on client's LAN, why can't I ping anything from the server's LAN to client's LAN.
What am I doing wrong here?

![PING problem.png](/public/imported_attachments/1/PING problem.png)
![PING problem.png_thumb](/public/imported_attachments/1/PING problem.png_thumb)

johnied

Of course I am not pinging VPN tunnel IPs but client's LAN IPs. This is not visible on the packet capture logs.

viragomann

I guess you have messed up your NAT. ???
To illuminate this, please post all your NAT rules (port forwarding, 1:1, outbound) from server an client.

johnied

OK here are the attachments.
Npt and 1:1 are black in both routers.

NAT is in Hybrid mode.

I am grateful for your time.
Thank you,

![SERVER Port Fw and 1-1 and Outbound.png](/public/imported_attachments/1/SERVER Port Fw and 1-1 and Outbound.png)
![SERVER Port Fw and 1-1 and Outbound.png_thumb](/public/imported_attachments/1/SERVER Port Fw and 1-1 and Outbound.png_thumb)
![CLIENT Port Fw and 1-1.png](/public/imported_attachments/1/CLIENT Port Fw and 1-1.png)
![CLIENT Port Fw and 1-1.png_thumb](/public/imported_attachments/1/CLIENT Port Fw and 1-1.png_thumb)
![CLIENT Outbound.png](/public/imported_attachments/1/CLIENT Outbound.png)
![CLIENT Outbound.png_thumb](/public/imported_attachments/1/CLIENT Outbound.png_thumb)

viragomann

@johnied:

SERVER PING from LAN INTERFACE –-->CLIENT packet capture on VPN INTERFACE

18:07:04.700947 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 29354, length 8
18:07:04.700969 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 29354, length 8
18:07:04.820259 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 9629, length 8
18:07:04.875810 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 9629, length 8

If the source address of ping is LAN there should be shown ICMP requests from coming from 192.168.1.1.
I can find no reason in your NAT rules why the address should be translated.

@johnied:

SERVER PING from VPN INTERFACE–-->CLIENT packet capture on VPN INTERFACE

16:30:11.577687 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59656, length 8
16:30:11.581641 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17796, length 8
16:30:11.581667 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17796, length 8
16:30:11.633149 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 59656, length 8
It seems to reply but my ping fails (100% PACKET LOSS)

This capture shown ping requests from the client to the server, not backwards. ???

I think all the pings shown here come from gateway monitoring (dpinger). To get a feasible outcome you should deactivate gateway monitoring on the vpn GWs in System > Routing > Gateways and rerun the test.

johnied

OK, after disabling Gateway Monitoring(Checked the box Disable Gateway Monitoring), and disabling the reverse test connection(server as client, client as server, different tunnel network) here are the results:

SERVER VPN INT to CLIENT VPN INT:
Nothing gets captured.

CLIENT VPN INT to SERVER VPN INT:
20:16:08.987196 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 0, length 64
20:16:08.987779 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 0, length 64
20:16:10.045360 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 1, length 64
20:16:10.045857 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 1, length 64

CLIENT LAN INT to SERVER VPN INT:
Nothing gets captured.

CLIENT VPN INT to SERVER LAN INT:
20:17:30.889581 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
20:17:30.889655 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192
20:17:33.177124 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 0, length 64
20:17:33.177610 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 0, length 64
20:17:34.236385 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 1, length 64
20:17:34.236938 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 1, length 64
20:17:35.297149 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 2, length 64
20:17:35.298138 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 2, length 64
20:17:35.957371 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
20:17:35.957446 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192

After that test I tried setting both outbound NATs to manual and deleting all the mappings. Then switched back to Hybrid NAT on both. Exactly the same results.

Of course I have backed up both, before deleting outbound NAT rules.

johnied

I am attaching the NAT rules now.

![SERVER NAT.png](/public/imported_attachments/1/SERVER NAT.png)
![SERVER NAT.png_thumb](/public/imported_attachments/1/SERVER NAT.png_thumb)
![CLIENT NAT.png](/public/imported_attachments/1/CLIENT NAT.png)
![CLIENT NAT.png_thumb](/public/imported_attachments/1/CLIENT NAT.png_thumb)

viragomann

It also matters where the captures are taken from, client or server, vpn or LAN?

@johnied:

CLIENT VPN INT to SERVER VPN INT:
20:16:08.987196 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 0, length 64
20:16:08.987779 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 0, length 64
20:16:10.045360 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 1, length 64
20:16:10.045857 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 1, length 64

This show pings from the clients vpn interface to a server sides LAN device.

@johnied:

CLIENT VPN INT to SERVER LAN INT:
20:17:30.889581 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
20:17:30.889655 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192
20:17:33.177124 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 0, length 64
20:17:33.177610 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 0, length 64
20:17:34.236385 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 1, length 64
20:17:34.236938 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 1, length 64
20:17:35.297149 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 2, length 64
20:17:35.298138 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 2, length 64
20:17:35.957371 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
20:17:35.957446 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192

Same here. Were you pinging 192.168.1.201?

johnied

Yes, both lans have a test machine always open and their ips end with 201.
So for client's lan this is 192.168.0.201.
For server's lan 192.168.1.201.

But I can't understand.
If NATs are back to default, gateways are normal, routes are normal, why can't I ping from the one LAN to the other and vice versa.

This is getting so frustrating.

I even tried to set a Client Specific Override, but no luck.
I actually doubt that this was right, because my client's VPN int ended up getting 10.5.0.0 as an IP. :'(

I am also attaching the server routes just in case you see something odd.

My priority right now is to be able to see client's net from server's net.
And I too far from that.

Thanks again for your concern, I am really grateful.

![Server Routes.png](/public/imported_attachments/1/Server Routes.png)
![Server Routes.png_thumb](/public/imported_attachments/1/Server Routes.png_thumb)

viragomann

That is the clients routing table, not the servers.

Unless you tell me where the packets taken from, there is no way to interpret the captures correctly.

johnied

Yes I am sorry the client's routes.

Unless you tell me where the packets taken from, there is no way to interpret the captures correctly.

What do you mean? I perform ICMP Diagnostics->Packet Capture on the one router,and Diagnostics->Ping on the other router from the interfaces I describe in the header of every capture.

What am I missing?

From Server router Ping fails from every interface. VPN and LAN.

From Client router Ping fails from LAN but succeeds from VPN interface.

Something that occured to me: Both VPN interfaces (server and client) are using LAN as interface. Does this pose any threat?

johnied

Also when I run both site-to-site VPN connections, where in the first:
A router is server, B router is client.
And in the second(which was created for testing):
A router is client, B router is server.

Both routers behave the same. I can ping from vpn interfaces to the others LAN, but not from their LAN interfaces to the other LAN.

viragomann

@johnied:

What do you mean? I perform ICMP Diagnostics->Packet Capture on the one router,and Diagnostics->Ping on the other router from the interfaces I describe in the header of every capture.

On which interface have you taken the capture? VPN?

@johnied:

Something that occured to me: Both VPN interfaces (server and client) are using LAN as interface. Does this pose any threat?

???
@johnied:

CLIENT VPN INT to SERVER VPN INT:
20:16:08.987196 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 0, length 64
20:16:08.987779 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 0, length 64
20:16:10.045360 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 1, length 64
20:16:10.045857 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 1, length 64

This shows the client vpn ip pinging to a servers LAN device.

The same as here:
@johnied:

CLIENT VPN INT to SERVER LAN INT:
20:17:30.889581 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
20:17:30.889655 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192
20:17:33.177124 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 0, length 64
20:17:33.177610 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 0, length 64
20:17:34.236385 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 1, length 64
20:17:34.236938 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 1, length 64
20:17:35.297149 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 2, length 64
20:17:35.298138 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 2, length 64
20:17:35.957371 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
20:17:35.957446 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192

Obviously taken on the servers LAN interface. I wonder why 192.168.1.2 is pinging the LAN at the same time.

johnied

Obviously taken on the servers LAN interface. I wonder why 192.168.1.2 is pinging the LAN at the same time.

192.168.1.2 is just a wifi Access Point which checks if it has access to the gateway. It's not important. I should not have posted it.

On which interface have you taken the capture? VPN?

Both VPN interfaces and LAN interfaces. I clarify it in the line before the capture logs every time.

This shows the client vpn ip pinging to a servers LAN device.

Yes, because I don't get any packets captured when I am pinging from the LAN interface.
I only capture packets, when I am pinging from the VPN interface.
And only from the client router.

From the Server I can't ping from LAN or VPN interface. Both fail.

johnied

Ok, I think I am close to my goal.
I dismissed the idea of Peer to Peer(SSL/TLS) and went on to create a Peer to Peer(Shared Key) connection.

Now I can ping from the Client LAN to the Server lan flawlessly.

What I cant't do is ping from the Server LAN to the client LAN.

I packet captured the client lan interface when ping from server lan interface and although I see the packet requests, there is no reply.

The client packet capture logs on the LAN interface read:

01:07:48.438501 IP 192.168.1.1 > 192.168.0.201: ICMP echo request, id 9946, seq 0, length 64
01:07:49.432827 IP 192.168.1.1 > 192.168.0.201: ICMP echo request, id 9946, seq 1, length 64
01:07:50.434429 IP 192.168.1.1 > 192.168.0.201: ICMP echo request, id 9946, seq 2, length 64

and I am attaching the server ping procedure that had the above as a result.

This must be a NAT issue isn't that right?

![Server Ping.png](/public/imported_attachments/1/Server Ping.png)
![Server Ping.png_thumb](/public/imported_attachments/1/Server Ping.png_thumb)

johnied

I can ping from Server LAN only the Client's LAN IP.
I cannot ping any other device on the Network.

Since Client's router is not the gateway of the whole network yes, I tried adding an Outbound NAT rule like the image attached.

No luck however.

If the client VPN is running on a Wan interface and not on a LAN, should the NAT rule use the WAN or the LAN interface?

![NAT rule client.png](/public/imported_attachments/1/NAT rule client.png)
![NAT rule client.png_thumb](/public/imported_attachments/1/NAT rule client.png_thumb)