Ping LANVPN not working

alainmandine

Tks Steve,
here is my routing table.

When the PC at the remote end is pinged from pfsense it, it replies.
Rgds Alain

stephenw10

@alainmandine said in Ping LANVPN not working:

When the PC at the remote end is pinged from pfsense it, it replies.

But from what source?

We know it replies when you ping from 192.168.100.1 but what if you select LAN as the source IP?

Try running a packet capture on the OpenVPN interface at the same time to be sure traffic is going that way.

Steve

alainmandine

When the pings go out of PFsense the source address is NATted by the ISP box into my Internet public address ( in my case 93.5.222.183) . This is the only source address that any paquet is allowed to go with to the Internet.
Here are the capture paquets with different source address. .
As you can see only the pings with source address "Automatically seleceted(default)" and "OpenVPN sever: OpenVPN instance Serveur" which is 192.168.100.1 are getting a response.
Capture paquets from PFsense WAN interface are a little bit less easy to look at because most of the paquets are encapsulated and crypted which is what we are looking for :

Tks for yr help
Rgds Alain

stephenw10

Ok, so run a packet capture on the OpenVPN server interface and then ping 192.168.100.2 from LAN. You should see the ping requests going out.

Steve

alainmandine

When I do that I see ICMP going out :

This is, to me, a nonsense. The network 192.168.100.0/24 is only known inside the tunnel. It's a private network and no router will route it on the Internet.
PFsense should encapsulate the ICMP into a packet with destination 80.12.34.95:1194 which is the tunnel end point.

Btw when I 1st started the SG-1100 out of the box, the OpenVPN server worked fine. I did not check the check the PFsense version but as it was las May It cannot have been 2.4.4 . I cann't remember if I did an upgrade or got an autoupgrade. I have contacted Netgate support to get the previous version but they are very reluctant to provide the version.
Rgds Alain

stephenw10

It is encapsulated. You are capturing on the OpenVPN adapter so it shows only traffic inside the tunnel.

So you see the requests being sent and the remote client is not responding. Either it is blocking that traffic because it's outside it's own subnet or it does not have a route back to the LAN subnet.
However you said previously you were able to ping a PC in the LAN and the pings reached it and also the OpenVPN tunnel is set to route all traffic through the tunnel. It's likely some local firewall on the client is blocking it.

Ok now lets test the other way. Try to ping 10.10.10.250 from the remote client at 192.168.100.2.

If that works try to ping some other client on the LAN whist packet capturing on the LAN interface. Do you see the ping requests from 192.168.100.2?

We can provide you a previous version but I'm almost certain it won't help here.

Steve

alainmandine

Hello Steve,
This morning I have done a few trials :
- ping 10.10.10.250 from remote : no reply

• ping another alive server on the 10.10.10.0 network : no reply
• disabled anti-virus and firewall on remote PC : still no reply
• on remote pc added a static route 10.10.10.0/24 to gateway 192.168.100.2 : still no reply but before the route was added when pinging 10.10.10.250 i was getting "waiting time exceeded" and after the addition I was getting "from 192.168.100.2 unable to reach the destination".
  I still want to make a trial with the previous version. Can send the file.
  Tks Rgds Alain

stephenw10

The static route should be via 192.168.100.1, the pfSense end of the tunnel.

It does sounds like it has no route. Check the routing table on the remote PC when the tunnel is up.

Your config is to set a new default gateway on the remote PC when the tunnel comes up so all traffic should come over the tunnel. The remote client might just be refusing to allow that. You could change that setting in the OpenVPN server so that you set 10.10.10.0/24 as a local network and it sends only a route to that.

The static route should do that though.

You will have to open a ticket with us at https://go.netgate.com to get older firmware.

Steve

alainmandine

Hello Steve,
I have changed the route to 192.168.100.1 without improuvement.
I have also tried on a different Windows PC 5Win 10) also without improuvement.
I have issued a ticket to Netgate support but they refuse to give the previous version arguing that the 2.4.4 should work.
I will continue arguing with them.
May be I will try 2.5 which is available for testing.
Rgds Alain

alainmandine

Hello Steve,
GOOD NEWS
I have added these 2 rules and now it works not only I can ping the local network from the remote PC but it has also access to the local servers.

Thanks for your assistance.
Regards Alain

stephenw10

Ah, that would do it! I would have suggested that but in your screenshot above you already had an allow all rule on the OpenVPN interface that would have passed that.

The first version of pfSense that supported the SG-1100 was 2.4.4p1 and the differences to p3 there is minor. It definitely would not have helped here.

Steve