Cannot ping or access remote network
-
Hi all,
We're having trouble accessing remote machines over PfSense. We have the OpenVPN tunnel established without problem, but our office network cannot ping the local machines on the remote side. Both sides are running Pfsense.
Our setup is fairly simple:
Datacenter network - Running Pfsense (Open VPN server). Has a NIC mounted to the 10.10.0.0/24 network. Can only ping IPs on the 10.10.0.0 network
Office network - Running Pfsense (Open VPN client). Regular office networking running on 192.168.1.0/24 network. Can only ping IPs on the 192.168.1.0 network
The issue we're having is that our office network is not able to ping or communicate any remote machines running on the 10.10.0.0 network.
I've checked the routes on both local and remote sides and it looks correct.
See:
Office network routes https://i.imgur.com/1BhI01U.png
Office network cfg https://i.imgur.com/H9LVi57.pngRemote network routes https://i.imgur.com/5SRE0P0.png
Remote network cfg https://i.imgur.com/p0lwJeV.pngOpenVPN firewall settings office networkhttps://i.imgur.com/sMt0z8D.png
Open VPN firewall setting remote network https://i.imgur.com/8qLP3hX.pngSome other useful info:
-
The remote network IPs are statically set. There are no default gateways or DHCP involved for the internal private network (10.10.0.0)
-
I have tried turning off the firewall complete on a remote machine with no luck
-
The remote network is technically a virtual network, but there is no VLAN id
Any help would be greatly appreciated.
Thanks
-
-
In the datacenter OpenVPN config you have to set office network (192.168.1.0/24) in the "Remote networks" field.
The local datacenter network makes no sense here. -
In the datacenter OpenVPN config you have to set office network (192.168.1.0/24) in the "Remote networks" field.
The local datacenter network makes no sense here.I've made the update and can now ping the internal IP of the data centre pfsense machine(10.10.0.4) from my workstation(192.168.1.144) but i still cannot ping outside of that machine (10.10.0.5, 10.10.0.6) etc
If it helps, I'm using the Peer to peer (shared key) method?
Thanks
-
That is probably because most software firewalls only respond to devices on the same network (ie, your 10.10.0.0 network will only respond to pings from 10.10.0.0). So your pings from 192.168.1.0 are being blocked. Update each remote network firewall rules appropriately.
-
Definitely not the firewall. ICMP packets are set to allow from everywhere in windows firewall.
-
The pfSense firewalls look ok, albeit a little redundant (like the remote end is allowing IPv4-* and IPv4-TCP and IPv4-TCP/UDP, when just IPv4-* is sufficient). But I'm wondering why the rules all show "0/0B" for their states - those rules have not received any data whatsoever.
-
The pfSense boxes have to be the default upstream gateway on both sites.
If that is not given you need either a static route for the remote network on each device which should communicate with it or youmust nat the packets on pfSense. -
The pfSense boxes have to be the default upstream gateway on both sites.
If that is not given you need either a static route for the remote network on each device which should communicate with it or youmust nat the packets on pfSense.The remote boxes have a default upstream gateway already to a WAN address. I was under the impression that having two default gateways on a box was a really bad idea.
How do I go about setting up NAT? I'm not sure which values i need to set on both sides
-
So the pfSense local network address 10.10.0.4 is not set as default gateway on the remote machines?
You have garbled the vtnet0 address, so I assume it will be a public one, isn't it?