Pinging tunnel networks in site-to-site

Derelict

On the server I can ping 10.0.8.1 & 10.0.8.3 however I am unable to ping 10.0.8.4

Why would you be able to ping 10.0.8.4? It's not connected.

McMurphy

My apologies, let me clarify

Originally Remote1@10.0.8.3 & Remote2@10.0.8.4 were both connected and only Remote1@10.0.8.3 could be pinged.

When I restarted the server the IPs changed to Remote1@10.0.8.2 & Remote2@10.0.8.3

Now I can ping Remote1@10.0.8.2 but not Remote2@10.0.8.3

Both before and after the restart Remote2 is unable to be pinged.

McMurphy

username@server:~$ ping 10.0.8.1 -c 4
PING 10.0.8.1 (10.0.8.1) 56(84) bytes of data.
64 bytes from 10.0.8.1: icmp_seq=1 ttl=64 time=2.12 ms
64 bytes from 10.0.8.1: icmp_seq=2 ttl=64 time=2.24 ms
64 bytes from 10.0.8.1: icmp_seq=3 ttl=64 time=1.74 ms
64 bytes from 10.0.8.1: icmp_seq=4 ttl=64 time=1.99 ms

–- 10.0.8.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.747/2.029/2.249/0.186 ms
username@server:~$ ping 10.0.8.2 -c 4
PING 10.0.8.2 (10.0.8.2) 56(84) bytes of data.
64 bytes from 10.0.8.2: icmp_seq=1 ttl=63 time=24.4 ms
64 bytes from 10.0.8.2: icmp_seq=2 ttl=63 time=29.8 ms
64 bytes from 10.0.8.2: icmp_seq=3 ttl=63 time=23.7 ms
64 bytes from 10.0.8.2: icmp_seq=4 ttl=63 time=31.5 ms

--- 10.0.8.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 23.765/27.388/31.510/3.344 ms
username@server:~$ ping 10.0.8.3 -c 4
PING 10.0.8.3 (10.0.8.3) 56(84) bytes of data.

--- 10.0.8.3 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms

McMurphy

Progress…

I can now ping both 10.0.8.2 & 10.0.8.3 from the server

The problem was I had the OpenVPN FW rule on Remote2@10.0.8.3 protocol set to UDP. When I changed it to ANY it works.

Not I know the VPN connections are working I will tackle making Remote1 & Remote2 accessible from the server LAN.

McMurphy

Now my VPN connection is up I have 3 remaining pieces to this puzzle:

On the server set values for IPv4 Local Network & IPv4 Remote Network
On the clients set value for IPv4 Remote Network
On the set values for iroutes as per https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes

Server IPv4 Local Network value
"IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network."
=>My thinking here is this should be left bank as I do not want the server LAN to be accessible from the client LANs just the clients LANs accessible from the server LAN.

Server IPv4 Remote Network value
"IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN."
=> My thinking here is that this should be set to the two remote CIDR ranges.

Clients IPv4 Remote Network Value
"IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN."
=> My thinking here is that this should be set to the client CIDR range

=> Not sure what to do here

At this point all pfsense boxes can ping 10.0.8.1, 10.0.8.2 & 10.0.8.3

McMurphy

I hope this diagram may assist in explaining what I seek to achieve.

I wish the server LAN to be able to access both client LANs however I do not wish the client LANs to be able to access anything through the VPN.

![Blank Diagram - Page 1.png](/public/imported_attachments/1/Blank Diagram - Page 1.png)
![Blank Diagram - Page 1.png_thumb](/public/imported_attachments/1/Blank Diagram - Page 1.png_thumb)

Derelict

So don't put any OpenVPN rules on the server and put pass src 192.168.0.1/24 dest any rules on each client.

I would stop fixating so much on the OpenVPN interface addresses. They can be weird.

https://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses

McMurphy

OK, apologies if I am sounding pedantic however I wish to ensure I have understood you correctly.

Previously on both server & clients under OpenVPN firewall rules I had proto:any src:any dest:any

With this in place the client pfsense could ping the server pfsense however not the other way round

I have now removed the OpenVPN rule from the firewall on the server

With this change the pfsense boxes can not ping each other.

Obviously, I have missed something. My thoughts are:
a) I have not created any iroutes anywhere (mentioned inthe guide I was following but didn't understand them)
b) I may have mucked up the values for remote and local network on the server & clients

Thanks for your help here. It is appreciated.

McMurphy

Can I please clarify.

a) on the vpn server I have set:
IPv4 Local Network: 192.168.1.0/24
IPv4 Remote Networks: 192.168.16.0/24, 10.0.0.0/24

b) on the vpn clients I have set:
IPv4 Remote Networks: 192.168.1.0/24

Does this look correct?

McMurphy

Tunnel settngs as per post above.

ServerTunnel.png_thumb

ClientTunnel.png_thumb

Derelict

a) I have not created any iroutes anywhere (mentioned inthe guide I was following but didn't understand them)

If you are running an SSL/TLS server with a tunnel network larger than a /30 and have routed subnets and no iroutes it is not going to work.

Add the remote networks for each CN to a client specific override.