Ovpn Client to Endian works! but not for all ip?
-
Do not trust Windows firewalls! Disabling it, often does not deactivate it immediately.
For a simple test to get closer to the problem you can use the ping tool from the pfSense GUI.
Take an IP out of the office network which you can ping from a local device but not from remote. On the home pfSense go to the ping tool and enter the IP and run a ping with the default source selection. Then change the source to LAN address (the pfSense address in the 192.168.173.0/24 network) and run the ping again.
If you get responses on the first run but not on the second check the firewall and the network settings on the destination device. -
Thanx Viragomann, I've tryed, doing a ping from Pfsense interface changed nothing, I can ping 192.168.172.99 but not 192.168.172.20 and same thing from Endian firewall, I can ping 192.168.173.36 but not 192.168.173.49 or 100
local ip of both firewall are reachable, everything in their lan are reachable by ping and I've also checked the gateway and is correct.. (have only one gateway for each network)
hard to find this problem, no entry on firewall log… I can't believe it
-
ok man, as Viragomann says do not trust Windows Firewall, so I've solved Half of the route.
now from pfsense (client) to endian (server) all works well, I can reach everythings in the office network.
but I not the inverse, Endian have a route already and works if used with another endian Firewall so I think is Pfsense that block for some reason the traffic.
have you an idea of what I need to check?
-
So you also have access from a client behind pfSense to a device in the LAN behind Endian? If so the routes on both sites should be fine.
And since the firewall rule on pfSense OpenVPN interface allows any IPv4 access, it shouldn't block anything.To troubleshoot, you can use Packet capture from the pfSense Diagnostic menu.
Take a capture on the OpenVPN interface, while you try to access a device from the other site. You should see the packets there, even if pfSense blocks them. If it doesn't block the traffic you should also see responses.
If there are no packets arriving on the vpn interface, the traffic may not be routed into the VPN tunnel on Endian.
If the packets are arriving, also take a capture on the LAN interface to see what's going on there. -
Viragomann thankyou in advance for your help, I've done what you suggest, and if from endian network (192.168.172/24) I ping pfsense ip 192.168.173.36
packet capture see this on openvpn tunnel
20:40:43.262508 IP 192.168.172.99 > 192.168.173.36: ICMP echo request, id 1, seq 2490, length 40
20:40:43.270631 IP 192.168.173.36 > 192.168.172.99: ICMP echo reply, id 1, seq 2490, length 40instead if I ping my computer packet capture show this
23:25:06.328269 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3866, length 40
23:25:11.309302 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3867, length 40
23:25:16.309808 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3868, length 40
23:25:21.308759 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3869, length 40
23:25:26.306973 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3870, length 40is right to suppose that the icmping pass the tunnel? why my computer not respond? is my computer? becouse if I ping everything in my home side all seems to be ok
now I'll check the lan..
ok monitoring the same ip on lan interface these are the results
23:31:11.311218 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3945, length 40
23:31:16.311602 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3946, length 40
23:31:21.311830 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3947, length 40monitoring instead my computer ip (192.168.173.49)
….
what the...!! what the!!!! sorry man sorry al I can't believe it... DON'T TRUST WINDOWS FIREWALL and MICROSOFT UPDATE! I can't believe it...ok man all works perfect, windows firewall for some reason after the last windows 10 update reset all windows firewall rule... f@..k
thankyou so much Viragomann, probably I can't go so near to the solution without your help, I'm newbie of Pfsense and many of the fantastic tool it have start to know it now..
thakyou again
John
-
And your computer uses pfSense as gateway?
Maybe its firewall is blocking the access.
-
Yes, my computer stay in home lan behind pfsense and use it as gateway
but there's a thing that I cannot explain… why my computer and so windows firewall let me to ping it from same subnet (another computer behind pfsense)
but refuse to answer to icmping if they come from the openvpn tunnel?what I have to do is going to advanced firewall configuration of windows and enable every ICMPING out rule and for every rule set in advanced tab that is related to every 3 kind of zone: private,public and domain.
there's no meaning I think to do it but it's the only way to make it works, and I've tested with another computer (microserver in same subnet).
-
That ping comes from the remote LAN not the OpenVPN tunnel, but that won't make any difference for the Windows firewall.
Since the network is not assigned to the computer, Windows sees it as "public".If you don't want to modify all your computers firewalls you can also get it work by natting the source addresses to the pfSense LAN IP. So the access will seem to come from the local subnet and Windows will trust it. But if you do that, you don't see the real origin IP address on the destination device.
-
that's the answer, I think for a little home network change windows firewall is enough, otherwise I think better looking to trust the remote subnet to make the windows firewall setting easyer
-
The NAT method is also called masquerading and that puts it in a nutshell. A Windows firewall by default only trusts devices in its own network and with this method it seems that the access comes from its own network segment.
To do this is an easy workaround as long as you have no need to determine the source device on the destination device.
So, in my opinion, its sufficient for home use, but in a business environment I would prefer the routing method and configure the firewalls to allowing access as needed.