Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    site-to-site, cannot ping from one lan to other lan

    Scheduled Pinned Locked Moved OpenVPN
    47 Posts 4 Posters 7.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Host 10.0.0.4 not rebooted ?
      --- not rebooted
      Check if there is a route to 192.168 in its routing table
      --- i checked a few times, each time I try to re-add the rule I get the following error
      C:\Users\user01>route add 192.168.62.0 mask 255.255.255.0 10.0.0.7
      The route addition failed: The object already exists.

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @A Former User
        last edited by Konstanti

        @asdffdsa6131
        Good
        Let's try another way
        Ping 192.168.62.181->10.0.0.4 (or 10.0.0.1 or any other host from 10.0.0.0/24)
        on the client side
        Firewall/NAT Outbound/Edit (manual outbound)
        0_1551051478768_9c094fbe-a5dc-4d38-9a83-bb3c52a79253-image.png

        0_1551051457167_47e98eeb-0674-41e2-abbb-4de552166e83-image.png

        If everything is configured correctly, then in packet capture (client side) you will see
        10.0.0.7 ->10.0.0.4
        10.0.0.4 ->10.0.0.7

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Ping 192.168.62.181->10.0.0.4
          --- I have a continous ping going all the time.
          0_1551051884275_28f05316-1590-488c-bc56-06a6ff3a362b-image.png

          Ping 192.168.62.181->10.0.0.4 continues to fail
          ping 192.168.62.181 -> 10.0.0.1 also fails.

          does this have something to do with that the client is an azure virtual machine and has no lan interface, just a wan interface?

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @A Former User
            last edited by Konstanti

            @asdffdsa6131

            NAT OUTBOUND changes the sender address (192.168.62.181) to its network address in the WAN interface (10.0.0.7) .the capture and package should show this
            for example
            IP 10.0.0.7 > 10.0.0.4: ICMP echo request, id 1, seq 16028, length 40
            IP 10.0.0.7 > 10.0.0.4: ICMP echo request, id 1, seq 16029, length 40

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by

              not sure what you are asking, sorry

              K 1 Reply Last reply Reply Quote 0
              • K
                Konstanti @A Former User
                last edited by Konstanti

                @asdffdsa6131
                192.168.62.181 -> 10.0.0.7 (nat outbound) -> 10.0.0.4 ->10.0.0.7 -> 192.168.62.181

                In packet capture you should see instead of 192.168.62.181 10.0.0.7 (client side , wan interface)

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by

                  sorry, again I am not clear what you are asking for

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    Konstanti @A Former User
                    last edited by Konstanti

                    @asdffdsa6131
                    NAT OUTBOUND changes the sender address (192.168.62.181) to its network address in the WAN interface (10.0.0.7) .the packet capture should show this (client side , wan interface)
                    for example
                    IP 10.0.0.7 > 10.0.0.4: ICMP echo request, id 1, seq 16028, length 40
                    IP 10.0.0.7 > 10.0.0.4: ICMP echo request, id 1, seq 16029, length 40

                    1 Reply Last reply Reply Quote 0
                    • ?
                      A Former User
                      last edited by

                      I have to stop now, sorry,
                      I want to thank you much for you time.

                      we are missing something simple.
                      As far as I can tell, all the settings are correct on the sever and client.

                      I still think there is some issue with the fact the the client is in azure cloud and there is not lan interface, just a wan of 10.0.0.0/24.
                      good night,

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Ok so there are two things and both were touched on.

                        By default pfSense NATs the traffic leaving the WAN but you probably don't want that. This is all private address space.

                        So go to the outbound NAT rules on the client end in Azure and remove them all. There should be NO NAT happening at that end.

                        Then the clients in Azure need a route back to 192.168.62.X. You tried to add that directly to the client, which should work, but you can also add that route in Azure so all clients there get routed to 10.0.0.7 for 192.168.62.X.

                        You will need firewall rules on the WAN to allow that traffic in.

                        You must also have enabled IP forwarding in Azure for the pfSense WAN NIC. Otherwise it will block traffic with destination 192.168.62.X as that does not exist on that VM:
                        https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#enable-or-disable-ip-forwarding

                        That may well be what was breaking this with NAT in place but it's better without NAT.

                        Steve

                        ? 1 Reply Last reply Reply Quote 0
                        • ?
                          A Former User @stephenw10
                          last edited by

                          @stephenw10
                          thanks much, I will try your suggestions.

                          it seems to me that traffic has to leave the azure pfsense via the wan, as that is the only interface, there is on lan interface.

                          you wrote "Then the clients in Azure need a route back to 192.168.62.X. You tried to add that directly to the client", do i add the route via the openvpn client or on each and every virtual computer via command line route.exe?

                          please consider updating the documentation, to deal with pfsense in the cloud, azure and aws.

                          I have spend days on this, working with a very knowledgeable forum people and nobody seems to know what to do with pfsense in cloud.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            It's the Windows clients in Azure that need the route. That can either be added on each client or you can add it to the Azure routing for your VPC (or whatever Azure are naming the local subnet there). That will then apply to traffic from any client that hits the Azure gateway.

                            You can assign the OpenVPN interface there to get an additional logical interface. Because it would be the second interface it will appear as LAN which might make things even more confusing! WAN and LAN are just names though.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.