[RESOLVIDO] OpenVPN Remote Access | Acesso pfSense | Não acessa LAN
-
OpenVPN Remote Access | pfSense Acceess | LAN not Connecting
Good afternoon,
Environment:
Pfsense 2.3.4-RELEASE (amd64)
Installed on Vmware ESXI 5.5Number of Wan Interfaces = 2
3 OpenVPN sites
01 = Affiliate peer to peer port 1190
02 = Affiliate peer to peer port 1180
03 = Remote Access port 1194IP LAN = 192.168.0.0/24
IP pfsense = 192.168.0.254
IP Tunnel OpenVPN 03 = 192.168.100.0/29
IP got at the OpenVPN connection = 192.168.100.2ps: I had followed many tutorials, including this: https://forum.pfsense.org/index.php?topic=129834.0
I'm with a little issue, I had setted up an OpenVPN connection client, I got connected in it, I got an IP from it (192.168.100.2), and I can access the web interface and got ping response from pfSense (192.168.0.254), but I can't access the local network (192.168.0.0/24).
It has 2 Wan interfaces, and all setting is on the first Wan (Firewall Rules, OpenVPN, Nat).Must I setting a route to it?
ps: It is already working correctly 2 site to site OpenVPN, and I didn't set any route.
ps²: looking at the firewall logs, it is beeing accepted, there is nothing beeing blocked.
In Firewall rules there is a rule allowing the VPN network to access the local network, no restrition IPv4 * * to Lan net
Looking the rules logsInterface Protocol Source Destination State Packets Bytes ovpns3 udp 192.168.100.2:10046 -> 192.168.0.50:53 NO_TRAFFIC:SINGLE 1 / 0 65 B / 0 B ovpns3 udp 192.168.100.2:13670 -> 192.168.0.60:53 NO_TRAFFIC:SINGLE 1 / 0 65 B / 0 B ovpns3 udp 192.168.100.2:29634 -> 192.168.0.60:53 NO_TRAFFIC:SINGLE 1 / 0 64 B / 0 B ovpns3 udp 192.168.100.2:30177 -> 192.168.0.60:53 NO_TRAFFIC:SINGLE 1 / 0 59 B / 0 B ovpns3 udp 192.168.100.2:30640 -> 192.168.0.50:53 NO_TRAFFIC:SINGLE 1 / 0 64 B / 0 B ovpns3 udp 192.168.100.2:6678 -> 192.168.0.50:53 NO_TRAFFIC:SINGLE 1 / 0 59 B / 0 B
OpenVPN Setting
General Information Server mode: Remote Access (SSL/TLS + User Auth) Backend for authentication: Active Directory Protocol: UDP Device mode: TUN Interface: WAN1 Local Port: 1194 Cryptographic Settings TLS authentication: checked Peer Certificate Authority: CA_OpenVPN Server certificate: Cert_OpenVPN_Server DH Parameter length (bits): 2048 Encryption Algorithm: AES-256-CBC Auth digest algorithm: SHA256 Hardware Crypto: No Certificate Depth: One (Client+Server) Strict User-CN Matching: Unchecked Tunnel Settings IPv4 Tunnel Network: 192.168.100.0/29 IPv6 Tunnel Network: - Redirect Gateway: Unchecked IPv4 Lo cal network(s): 192.168.0.0/24 IPv6 Local network(s): - Concurrent connections: Compression: Habilitado, Adaptative Type-of-Service: checked Inter-client communication: Unchecked Duplicate Connection: Unchecked Disable IPv6: checked Client Settings Dynamic IP: checked Address Pool: checked Topology: Subnet -- One IP Address per client in a common Subnet Advanced Client Settings DNS Default Domain: checked DNS Default Domain: mydomain DNS Server enable: checked DNS Server 1: 192.168.0.60 DNS Server 2: 192.168.0.50 Block Outside DNS: Unchecked Force DNS cache update: Unchecked NTP Server enable: Unchecked NetBIOS enable: Unchecked Enable custom port: Unchecked Advanced Configuration No change
I got a Packet Capture
Packet Capture Options Interface: OpenVPN_Client Promiscuous: Unchecked Address Family: any] Protocol: any Host Address: - Port: - Packet Length: 0 Count: 100 Level of detail: Normal Reverse DNS Lookup: Unchecked
Packets Captured
10:45:44.004702 IP 192.168.100.2.46499 > 192.168.0.60.53: UDP, length 37 10:45:48.654349 IP 192.168.100.2.40236 > 192.168.0.60.53: UDP, length 36 10:45:48.671845 IP 192.168.100.2.38575 > 192.168.0.60.53: UDP, length 39 10:45:48.835013 IP 192.168.100.2.1318 > 192.168.0.60.53: UDP, length 33 10:45:49.009172 IP 192.168.100.2.60921 > 192.168.0.50.53: UDP, length 37 10:45:51.245159 IP 192.168.100.2.57456 > 192.168.0.60.53: UDP, length 37 10:45:53.661205 IP 192.168.100.2.61035 > 192.168.0.50.53: UDP, length 36 10:45:53.674875 IP 192.168.100.2.37177 > 192.168.0.50.53: UDP, length 39 10:45:53.841873 IP 192.168.100.2.38436 > 192.168.0.50.53: UDP, length 33 10:45:54.026358 IP 192.168.100.2.46499 > 192.168.0.60.53: UDP, length 37 10:45:56.253528 IP 192.168.100.2.63759 > 192.168.0.50.53: UDP, length 37 10:45:58.638449 IP 192.168.100.2.48402 > 192.168.0.60.53: UDP, length 38 10:45:58.682023 IP 192.168.100.2.40236 > 192.168.0.60.53: UDP, length 36 10:45:58.682116 IP 192.168.100.2.38575 > 192.168.0.60.53: UDP, length 39 10:45:58.863800 IP 192.168.100.2.1318 > 192.168.0.60.53: UDP, length 33 10:45:59.015410 IP 192.168.100.2.60921 > 192.168.0.50.53: UDP, length 37 10:46:01.249763 IP 192.168.100.2.57456 > 192.168.0.60.53: UDP, length 37 10:46:03.630210 IP 192.168.100.2.2047 > 192.168.0.50.53: UDP, length 38 10:46:03.669477 IP 192.168.100.2.61035 > 192.168.0.50.53: UDP, length 36 10:46:03.681827 IP 192.168.100.2.37177 > 192.168.0.50.53: UDP, length 39 10:46:03.857357 IP 192.168.100.2.38436 > 192.168.0.50.53: UDP, length 33 10:46:04.028139 IP 192.168.100.2.57515 > 192.168.0.60.53: UDP, length 37 10:46:06.256763 IP 192.168.100.2.63759 > 192.168.0.50.53: UDP, length 37 10:46:08.030200 IP 192.168.100.2.40177 > 192.168.0.60.53: UDP, length 39 10:46:08.675615 IP 192.168.100.2.48402 > 192.168.0.60.53: UDP, length 38 10:46:08.684214 IP 192.168.100.2.34894 > 192.168.0.60.53: UDP, length 36 10:46:08.687934 IP 192.168.100.2.55661 > 192.168.0.60.53: UDP, length 39 10:46:08.858353 IP 192.168.100.2.34322 > 192.168.0.60.53: UDP, length 33 10:46:09.025574 IP 192.168.100.2.50621 > 192.168.0.50.53: UDP, length 37 10:46:11.033067 IP 192.168.100.2.46173 > 192.168.0.60.53: UDP, length 37 10:46:11.252529 IP 192.168.100.2.53998 > 192.168.0.60.53: UDP, length 37 10:46:11.252562 IP 192.168.100.2.51758 > 192.168.0.60.53: UDP, length 37 10:46:11.252596 IP 192.168.100.2.59832 > 192.168.0.60.53: UDP, length 37 10:46:11.257781 IP 192.168.100.2.44323 > 192.168.0.60.53: UDP, length 37 10:46:11.292618 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0 10:46:11.549996 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0 10:46:12.292619 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0 10:46:12.546085 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0 10:46:13.037521 IP 192.168.100.2.44615 > 192.168.0.50.53: UDP, length 39 10:46:13.656319 IP 192.168.100.2.2047 > 192.168.0.50.53: UDP, length 38 10:46:13.682013 IP 192.168.100.2.49618 > 192.168.0.50.53: UDP, length 36 10:46:13.692612 IP 192.168.100.2.52150 > 192.168.0.50.53: UDP, length 39 10:46:13.878476 IP 192.168.100.2.54666 > 192.168.0.50.53: UDP, length 33 10:46:14.037156 IP 192.168.100.2.57515 > 192.168.0.60.53: UDP, length 37 10:46:14.314500 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0 10:46:14.543956 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0 10:46:16.048173 IP 192.168.100.2.34398 > 192.168.0.50.53: UDP, length 37 10:46:16.256673 IP 192.168.100.2.60227 > 192.168.0.50.53: UDP, length 37 10:46:16.256705 IP 192.168.100.2.42632 > 192.168.0.50.53: UDP, length 37 10:46:16.256816 IP 192.168.100.2.46519 > 192.168.0.50.53: UDP, length 37 10:46:16.258064 IP 192.168.100.2.45443 > 192.168.0.50.53: UDP, length 37 10:46:18.109490 IP 192.168.100.2.40177 > 192.168.0.60.53: UDP, length 39 10:46:18.304995 IP 192.168.100.2.33490 > 192.168.0.24.80: tcp 0 10:46:18.324530 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0 10:46:18.553209 IP 192.168.100.2.33491 > 192.168.0.24.80: tcp 0 10:46:18.644932 IP 192.168.100.2.43017 > 192.168.0.60.53: UDP, length 38 10:46:18.686796 IP 192.168.100.2.34894 > 192.168.0.60.53: UDP, length 36 10:46:18.697621 IP 192.168.100.2.55661 > 192.168.0.60.53: UDP, length 39 10:46:18.863908 IP 192.168.100.2.34322 > 192.168.0.60.53: UDP, length 33 10:46:19.027853 IP 192.168.100.2.50621 > 192.168.0.50.53: UDP, length 37 10:46:19.335404 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0 10:46:21.082807 IP 192.168.100.2.46173 > 192.168.0.60.53: UDP, length 37 10:46:21.267447 IP 192.168.100.2.53998 > 192.168.0.60.53: UDP, length 37 10:46:21.267480 IP 192.168.100.2.51758 > 192.168.0.60.53: UDP, length 37 10:46:21.267617 IP 192.168.100.2.59832 > 192.168.0.60.53: UDP, length 37 10:46:21.267691 IP 192.168.100.2.44323 > 192.168.0.60.53: UDP, length 37 10:46:21.323851 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0 10:46:23.051414 IP 192.168.100.2.44615 > 192.168.0.50.53: UDP, length 39 10:46:23.653867 IP 192.168.100.2.55766 > 192.168.0.50.53: UDP, length 38 10:46:23.701073 IP 192.168.100.2.49618 > 192.168.0.50.53: UDP, length 36 10:46:23.701729 IP 192.168.100.2.52150 > 192.168.0.50.53: UDP, length 39 10:46:23.869555 IP 192.168.100.2.54666 > 192.168.0.50.53: UDP, length 33 10:46:24.043412 IP 192.168.100.2.35269 > 192.168.0.60.53: UDP, length 45 10:46:24.144075 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.144135 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0 10:46:24.154976 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.155125 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 179 10:46:24.155159 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0 10:46:24.158416 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 1329 10:46:24.158438 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 1329 10:46:24.158445 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 445 10:46:24.165002 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.165504 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.170297 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.176650 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 126 10:46:24.176687 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0 10:46:24.177501 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 51 10:46:24.187966 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:24.188002 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0 10:46:24.188072 IP 192.168.0.254.443 > 192.168.100.2.35980: tcp 0 10:46:24.190173 IP 192.168.100.2.35980 > 192.168.0.254.443: tcp 0 10:46:25.345036 IP 192.168.100.2.33492 > 192.168.0.24.80: tcp 0 10:46:26.044520 IP 192.168.100.2.34398 > 192.168.0.50.53: UDP, length 37 10:46:26.158599 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 0 10:46:26.158675 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 0 10:46:26.167414 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 0 10:46:26.167541 IP 192.168.100.2.35981 > 192.168.0.254.443: tcp 179 10:46:26.167571 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 0 10:46:26.170166 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 1329 10:46:26.170186 IP 192.168.0.254.443 > 192.168.100.2.35981: tcp 1329
I had realized in Diagnostics -> Route the following
Destination Gateway Flags Use Mtu Netif Expire 192.168.100.0/29 192.168.100.2 UGS 0 1500 ovpns3
Should I assign an interface to this OpenVPN connection, and create a route?
ps³: Sorry, if the information is too poor, please feel free to ask anything.
All the IP addresses here is not real, but represent a real information. -
Percebi que em Diagnostics -> Route no pfSense o seguinte:
Destination Gateway Flags Use Mtu Netif Expire 192.168.100.0/29 192.168.100.2 UGS 0 1500 ovpns3
Tenho que atribuir uma interface a esta conexão do OpenVPN e criar uma rota?
OBS³: Se as informações foram escassas, favor solicitar.
Todos os endereços IPs aqui são fictício, porem representam informações reais.você liberou o acesso (regras de firewall) na interface ovpns3 ?
-
Bom dia,
Não consegue acessar de onde pra onde?
-
Caro, jeferson.junior.
Tente uma classe de rede diferente. Ex: 10.20.0.0/29
Att.
Whatsapp: 021 9 6403-5250 -
Caro, jeferson.junior.
A rede /24 contempla a rede /29. A rede "vlsm" /29, é apenas uma subrede da /24.
Para o openvpn funciona tem que ser uma rede diferente! Por ex: 10.20.0.0/29
Verdade. Bem Observado.
Att.
Whatsapp: 021 9 6403-5250 -
Percebi que em Diagnostics -> Route no pfSense o seguinte:
Destination Gateway Flags Use Mtu Netif Expire 192.168.100.0/29 192.168.100.2 UGS 0 1500 ovpns3
Tenho que atribuir uma interface a esta conexão do OpenVPN e criar uma rota?
OBS³: Se as informações foram escassas, favor solicitar.
Todos os endereços IPs aqui são fictício, porem representam informações reais.você liberou o acesso (regras de firewall) na interface ovpns3 ?
Sim liberado.
Minha dúvida na citação acima é quanto ao gateway 192.168.100.2 sendo este o ip que recebo ao conectar remotamente.Protocol: IPV4* Source: 192.168.100.0/29 Port: * Destination: LAN Net Port: * Gateway: * Queue: none
e também no sentido inverso (LAN OpenVPN), invertendo Source e destination.
-
Bom dia,
Não consegue acessar de onde pra onde?
Do acesso remoto OpenVPN para a LAN, consigo acessar o pfsense no IP da LAN
Da LAn para o acesso remoto OpenVPN também não é possível acesso, porem nos logs do firewall não consta bloqueio, todas as conexões estão passando,
por isso acho que tem haver com rota. -
Caro, jeferson.junior.
Tente uma classe de rede diferente. Ex: 10.20.0.0/29
Att.
Whatsapp: 021 9 6403-5250Boa tarde,
o IP 192.168.100.0/29 é fictício, está na na class A (EX: 10.0.0.0/29)
-
Coloca /30 na configuração do tunel do cliente e coloca a rede da lan nas configuraçoes da rede remota.
criar uma regra any na interface openvpn
-
Caro jeferson.junior.
Seu PfSense apenas está no domínio de broadcast (rede), sendo assim o gateway para os hosts que você aponta estaticamente.
Por mais que a rede (/29) do seu OpenVPN fale com o seu PF(GW), ele irá recorrer ao default gateway da rede, ou seja, seria quem o FW está se conectando ( 192.168.100.1 ), o que talvez você deveria criar rota estática para sua rede do túnel openvpn nesse default gw.
Para funcionamento simples e "correto", o PfSense deveria ser o GW da rede ( se a intenção é ser firewall e ter uma administração centralizada ).
Att,
Whatsapp: 021 9 64035250 -
Caro jeferson.junior.
Seu PfSense apenas está no domínio de broadcast (rede), sendo assim o gateway para os hosts que você aponta estaticamente.
Por mais que a rede (/29) do seu OpenVPN fale com o seu PF(GW), ele irá recorrer ao default gateway da rede, ou seja, seria quem o FW está se conectando ( 192.168.100.1 ), o que talvez você deveria criar rota estática para sua rede do túnel openvpn nesse default gw.
Para funcionamento simples e "correto", o PfSense deveria ser o GW da rede ( se a intenção é ser firewall e ter uma administração centralizada ).
Att,
Whatsapp: 021 9 64035250Por descuido, passou desapercebido, o pfsense não é o único gateway da rede, configurei a rota no outro gateway, apontando a rota para o ip do pfsense e tudo esta funcionando.
Obrigado a todos pela ajuda.
-
Jeferso,
Bacana que foi resolvido.
Edita teu primeiro post e poe no inicio como [RESOLVIDO]. :D