Some clients can ping lan some can't.
-
@Rico This is the IP and route info on a machine that can connect.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
XHC0: flags=0<> mtu 0
XHC20: flags=0<> mtu 0
XHC1: flags=0<> mtu 0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether f0:18:98:08:1b:47
inet 10.70.0.74 netmask 0xffffff00 broadcast 10.70.0.255
media: autoselect
status: active
en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether b2:00:e8:71:41:01
media: autoselect <full-duplex>
status: inactive
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether b2:00:e8:71:41:00
media: autoselect <full-duplex>
status: inactive
en4: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether b2:00:e8:71:41:05
media: autoselect <full-duplex>
status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether b2:00:e8:71:41:04
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether b2:00:e8:71:41:00
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 11 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 13 priority 0 path cost 0
member: en3 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 10 priority 0 path cost 0
member: en4 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 12 priority 0 path cost 0
media: <unknown type>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 02:18:98:08:1b:47
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether b2:00:b0:b6:35:c9
inet6 fe80::b000:b0ff:feb6:35c9%awdl0 prefixlen 64 scopeid 0x10
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::5366:e0a3:af1d:ab20%utun0 prefixlen 64 scopeid 0x11
nd6 options=201<PERFORMNUD,DAD>
en5: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=4<VLAN_MTU>
ether a0:ce:c8:31:17:f3
media: autoselect (none)
status: inactive
en7: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether ac
48:00:11:22
inet6 fe80::aede:48ff:fe00:1122%en7 prefixlen 64 scopeid 0x8
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.200.4.2 --> 10.200.4.2 netmask 0xffffff00Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.70.0.1 UGSc 110 0 en0
10.50/23 10.200.4.1 UGSc 0 0 utun1
10.70/24 link#9 UCS 27 0 en0 !
10.70.0.1/32 link#9 UCS 1 0 en0 !
10.70.0.1 60:3d:26:68:45:c0 UHLWIir 35 2859 en0 1198
10.70.0.7 e4:e7:49:42:ec:d5 UHLWI 0 0 en0 1094
10.70.0.8 64:5d:86:cf:e9:9b UHLWIi 1 154 en0 626
10.70.0.9 80:c5:f2:84:56:ca UHLWI 0 6 en0 1069
10.70.0.10 d0:c5:d3:4c:d:4d UHLWI 0 6 en0 1101
10.70.0.24 90:e1:7b:9a:fe:9a UHLWI 0 0 en0 984
10.70.0.28 b0:70:2d:d1:8d:aa UHLWI 0 0 en0 531
10.70.0.31 38:f9:d3:31:1b:8d UHLWI 0 0 en0 732
10.70.0.32 64:c7:53:c0:7d:9a UHLWI 0 0 en0 602
10.70.0.34 a4:83:e7:50:eb:3f UHLWI 0 0 en0 1145
10.70.0.36 78:4f:43:4c:f4:c0 UHLWI 0 0 en0 724
10.70.0.74/32 link#9 UCS 0 0 en0 !
10.70.0.91 70:2a:d5:64:1a:36 UHLWI 0 10 en0 1200
10.70.0.94 a4:83:e7:50:e4:ec UHLWI 0 0 en0 1199
10.70.0.121 f8:6f:c1:89:59:25 UHLWI 0 0 en0 210
10.70.0.128 8c:85:90:3c:59:e8 UHLWI 0 0 en0 848
10.70.0.138 38:f9:d3:71:97:fc UHLWI 0 0 en0 1145
10.70.0.141 74:70:fd:76:15:88 UHLWI 0 0 en0 515
10.70.0.152 8c:86:1e:38:6b:51 UHLWI 0 0 en0 471
10.70.0.160 f4:5c:89:a2:f0:5 UHLWI 0 0 en0 1200
10.70.0.177 3c:15:c2:c5:69:e4 UHLWI 0 0 en0 1065
10.70.0.178 4c:56:9d:d:a9:be UHLWI 0 0 en0 983
10.70.0.180 f0:18:98:74:5b:89 UHLWI 0 0 en0 1200
10.70.0.183 78:4f:43:5c:bf:58 UHLWI 0 0 en0 1199
10.70.0.197 64:5a:ed:92:0:e9 UHLWI 0 0 en0 191
10.70.0.204 94:bf:2d:45:88:b3 UHLWI 0 0 en0 552
10.70.0.207 3c:2e:f9:12:92:30 UHLWI 0 0 en0 305
10.70.0.226 a4:83:e7:93:51:88 UHLWI 0 0 en0 912
10.70.0.235 70:2a:d5:63:f9:d8 UHLWI 0 10 en0 1198
10.200/22 10.200.4.1 UGSc 1 83 utun1
10.200.4/24 10.200.4.2 UGSc 7 0 utun1
10.200.4.2 10.200.4.2 UH 1 0 utun1
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 4 116765 lo0
169.254 link#9 UCS 0 0 en0 !
172.18/21 10.200.4.1 UGSc 1 0 utun1
192.168.4/22 10.200.4.1 UGSc 0 0 utun1
198.18.0/16 10.200.4.1 UGSc 0 0 utun1
224.0.0/4 link#9 UmCS 2 0 en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI 0 142 en0
255.255.255.255/32 link#9 UCS 0 0 en0 ! -
could it be related to this? https://forum.netgate.com/post/830456
-
@kiokoman Yes this seems to be exactly the same issue. I get ERROR: FreeBSD route add command failed: external program exited with error status:1
Is there another way to fix this rather than using an external script? I'm running a new version of code 2.4.4-RELEASE-p3.
-
i realy don't know, i was searching for a solution for you and i found that post
@jimp do you already have/do you need a bug report for this ? or are you aware of a possible cause and solution ? -
I doubt there is a bug here. Probably something in the setup/config but please don't ping me or other devs directly for this kind of thing.
-
sorry I'm probably putting too much enthusiasm into it :)
-
@kiokoman Some more info.
If I restart openvpn the following routes are added automatically with out any connections to vpn.
10.200.4.1 link#26 UHS lo0
10.200.4.2 link#26 UH ovpns2When the first client that connects it gets 10.200.4.2. Which is the only one that works because the route is already there.
When the second client connects it gets 10.200.4.3. The route add fails on the pfsense. If I manually add the route using route add -host 10.200.4.2 10.200.4.1. The client still can't connect to internal systems. Using packet capture I can see the traffic going inbound only on the openvpn interface. On the Lan when I add the route I can see both the sent packet and the return packet. It seems that the lan isn't routing the packet back to the openvpn interface.
The first client can ping it self and the vpn gateway 10.200.4.1.
The second client can't ping it self or the vpn gateway.Is there a way to see why the route add is failing? It just says returned a status of 1.
-
if i understand it right ..
route add -host 10.200.4.3 -interface ovpns2
before connecting the second cllient -
@kiokoman Hehe I was just googleing that. That works. I can now ping internal hosts. Oddly enough I can now ping myself 10.200.4.3 and the gateway 10.200.4.. This I find odd because that should be L2 from my host.
Is there some way to get more logs regarding why the automatic route add is failing?
-
increase Verbosity level option for openvpn
-
@kiokoman More Info.
Interesting I get the following.
Sep 23 16:43:52 openvpn 19893 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Sep 23 16:43:52 openvpn 19893 /sbin/route add -net 10.200.4.0 10.200.4.2 255.255.255.0This makes sense because 10.200.4.2 exists (not sure why). This is created automatically when openvpn is re/started on the pfsense. I haven't been able to see the error when .3 is given out. The verbosity is high and I can only see 2000 entries. So finding the route is kind of tough.
-
restart openvpn connect the first client, clear the log
connect the second client and see what is logged -
@kiokoman Setup a syslog server and turned up logging to 11. Found some interesting things.
When the server openvpn service is started I see the following entries.
ifconfig_local = '10.200.4.1'
ifconfig_remote_netmask = '255.255.255.0'
route_script = '[UNDEF]'
route_default_gateway = '10.200.4.2'
'route_default_metric = 0
route_noexec = DISABLED
route_delay = 0
route_delay_window = 30
route_delay_defined = DISABLED
route_nopull = DISABLED
route_gateway_via_dhcp = DISABLED
allow_pull_fqdn = DISABLEDserver_network = 10.200.4.0
server_netmask = 255.255.255.0
push_entry = 'route-gateway 10.200.4.1'
push_entry = 'topology subnet'ifconfig_pool_defined = ENABLED
ifconfig_pool_start = 10.200.4.2
ifconfig_pool_end = 10.200.4.253
ifconfig_pool_netmask = 255.255.255.0
ifconfig_pool_persist_filename = '[UNDEF]'
ifconfig_pool_persist_refresh_freq = 600
ifconfig_ipv6_pool_defined = DISABLED
ifconfig_ipv6_pool_base = ::
ifconfig_ipv6_pool_netbits = 0/sbin/ifconfig ovpns2 10.200.4.1 10.200.4.2 mtu 1500 netmask 255.255.255.0 up
/sbin/route add -net 10.200.4.0 10.200.4.2 255.255.255.0
IFCONFIG POOL: base=10.200.4.2 size=252, ipv6=01st Client Connecting getting 10.200.0.2 (Note that is set as the default gateway of the server above)
MULTI_sva: pool returned IPv4=10.200.4.2, IPv6=(Not enabled)
MULTI: Learn: 10.200.4.2 -> user1/XXX.XXX.XXX.XXX:1194
MULTI: primary virtual IP for user1/XXX.XXX.XXX.XXX:1194: 10.200.4.2I don't see a route add on the server side at all. I grep for it and only find this for the client connect
user1/XXX.XXX.XXX.XXX:1194 SENT CONTROL [michael.carey]: 'PUSH_REPLY,route 172.18.0.0 255.255.248.0,route 198.18.0.0 255.255.0.0,route 192.168.4.0 255.255.252.0,route 10.50.0.0 255.255.254.0,route 10.200.0.0 255.255.252.0,dhcp-option DOMAIN xxxxxx.com,dhcp-option DNS 172.18.2.6,dhcp-option DNS 10.200.0.1route-gateway 10.200.4.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.200.4.2 255.255.255.0,peer-id 0' (status=1)
2nd client connecting
MULTI_sva: pool returned IPv4=10.200.4.3, IPv6=(Not enabled)
MULTI: Learn: 10.200.4.3 -> user2/50.208.131.246:5238
MULTI: primary virtual IP for user2/50.208.131.246:5238: 10.200.4.3
Again no route on the server sideonly the push
user/XXX.XXX.XXX.XXX:5238 SENT CONTROL [mike]: 'PUSH_REPLY,route 172.18.0.0 255.255.248.0,route 198.18.0.0 255.255.0.0,route 192.168.4.0 255.255.252.0,route 10.50.0.0 255.255.254.0,route 10.200.0.0 255.255.252.0,dhcp-option DOMAIN xxxxx.com,dhcp-option DNS 172.18.2.6,dhcp-option DNS 10.200.0.1,route-gateway 10.200.4.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.200.4.3 255.255.255.0,peer-id 1' (status=1)
-
Nothing related to "FreeBSD route add command failed: external program exited with error status: 1" ?
The first route already exist so the question is .. why the other are not created if it is needed? I will try to test it on my lab but i first need some hours of sleep -
@kiokoman That does happen when server starts and it runs /sbin/route add -net 10.200.4.0 10.200.4.2 255.255.255.0 only because it is already there. If I delete the route and start the server it doesn't happen. It doesn't happen when the client connects there are no route add commands in the log when the client connects. I figured this out yesterday. It seems like there should be. Is there a way to configure the pool to start with 10.200.4.3? I'm wondering if because it is giving out it's own default route to a client that is what is braking it. I'm not sure why it is taking .1 and .2 and using .2 as it's default route. It doesn't make sense to me. It is behind a carp interface that is on a clustered virtual IP so could it be taking 2 addresses because there are 2 addresses under it on the lan interface?
-
@kiokoman I figured out how to configure the pool. server 10.200.4.0 255.255.255.0 'nopool';ifconfig-pool 10.200.4.3 10.200.4.253. Unfortunately that didn't work. Now no client that connects can ping anything on the other side of the tunnel.
-
ok so that error is only spam on the log, i was able to configure some vm machine to test this but i had the time to connect only 1 client, the route was already there so the first client was working, this evening after work i will check what happen with the second client
-
@kiokoman I figured it out. For some reason I had a static route 10.200.4.0 pointing to the lan interface. I got rid of that and everything worked. I'm not sure why .2 worked at all.
-
glad you found out
did you restart pfsense to see if it is completely solved?
when was that route created ? any guess ? -
I can't restart because it is in production for other purposes. I did restart openvpn a couple times and it worked. I had to have added it since I set it up. It was a couple months ago so I don't remember when or why though. It's a good thing to know that behavior though in case someone else has the issue.
