Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Interface can't ping LAN interface hosts

    Scheduled Pinned Locked Moved OpenVPN
    16 Posts 4 Posters 5.9k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann @w0lverine
      last edited by

      @w0lverine said in VPN Interface can't ping LAN interface hosts:

      And I used the ping in pfsense and can ping 10.9.0.2

      I asked to try the ping in two ways to investigate the issue. One time with default and second with OpenVPN sever as source. Are the pings successful in both methods?

      1 Reply Last reply Reply Quote 0
      • W Offline
        w0lverine
        last edited by

        @viragomann Pinging my host from the LAN side pings the gateways but not my host... So there is my issue. The lan can't ping my host hence the host can't ping the LAN.... So why can't it...mmm. Looking more into it.

        1 Reply Last reply Reply Quote 0
        • W Offline
          w0lverine
          last edited by

          Okay, I am stuck. Not sure what is going on. Maybe its on the hosts side?

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann
            last edited by

            Maybe the host blocks access from outside its own subnet. That is the default behaviour of system firewalls.
            I already told you a way, how to investigate that.

            W 1 Reply Last reply Reply Quote 0
            • kiokomanK Offline
              kiokoman LAYER 8
              last edited by

              what i can see from your VPNOPT1 screenshot is that states is 0/0
              no traffic is going there
              i suspect a routing problem even if your rules are a mess :)
              try a traceroute and/or use packet capture to see what's happening

              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
              Please do not use chat/PM to ask for help
              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

              V 1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann @kiokoman
                last edited by

                @kiokoman said in VPN Interface can't ping LAN interface hosts:

                what i can see from your VPNOPT1 screenshot is that states is 0/0
                no traffic is going there

                The traffic does match the rule on the OpenVPN interface, since there is a rule defined allowing any. So the rules on the VPNOPT1 tab aren't applied.
                See: Rule processing order in the docs.

                1 Reply Last reply Reply Quote 0
                • kiokomanK Offline
                  kiokoman LAYER 8
                  last edited by

                  i'm pretty sure that i know how rules are processed, but
                  he did't clarify or i'm not understanding what interface he is using
                  i will leave this to you then

                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                  Please do not use chat/PM to ask for help
                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                  V 1 Reply Last reply Reply Quote 0
                  • M Offline
                    milldebogo
                    last edited by

                    @w0lverine , Estoy teniendo exactamente el mismo problema aun que tengo algunas diferencias en mi Topologia el incidente es el mismo.

                    Apunto a que puede ser un bug de la version de pfsense 2.4.4p3, esto lo digo por que tengo otro cliente con un pfSense 2.4.4p2 y 2 sucursales Site-To-Site funcionando OK.

                    Espero lleguemos pronto a una Solucion, llevo 3 dias buscando, haciendo prueba y nada. Cualquier avance estare informando les dejo el link a mi post.

                    VPN SiteToSite con OpenVPN, problema para conectar a LAN detrás del túnel

                    1 Reply Last reply Reply Quote 0
                    • V Offline
                      viragomann @kiokoman
                      last edited by

                      @kiokoman
                      "OpenVPN" is an interface group containing all OpenVPN instances running there, no matter if an instance has an interface assigned or not. So rules on this tab are processed first. Therefor you should delete all rules on the OpenVPN tab if you assign an interface to an OpenVPN instance and add rules to it or restrict the OpenVPN rules' source (if you're running multiple VPN instances) so that they're not applied to connections which you want ti control on the specific VPN interface.

                      1 Reply Last reply Reply Quote 0
                      • W Offline
                        w0lverine @viragomann
                        last edited by w0lverine

                        @viragomann That is exactly what is happening. But how do I fix that? I thought about adding a rule from the openvpn interface and vpnopt1 to allow traffic to flow from one interface to the LAN and back. But as @kiokoman pointed out, I am not even getting traffic to hit those rules. So I am guessing my firewall rules are wrong?

                        Update:
                        Reviewing my rules - I need to create a net rule from the LAN to VPNOPT1 and vice versa.
                        VPNOPT interface:
                        Screen Shot 2019-09-30 at 3.44.26 PM.png
                        LAN Interface:
                        Screen Shot 2019-09-30 at 3.44.09 PM.png

                        But no traffic is getting through and I am not sure why.

                        1 Reply Last reply Reply Quote 0
                        • V Offline
                          viragomann
                          last edited by

                          That means, since you have a rule on the top of the OpenVPN interface group which allows any to any, this rule will be processed on any traffic arriving on any OpenVPN interface, while rules you have defined on the VPNOPT1 will never hit.
                          That is only the explanation why you see no traffic on the VPNOPT1 rules. But that is not the problem here.

                          I asked you twice:
                          @viragomann said in VPN Interface can't ping LAN interface hosts:

                          @w0lverine said in VPN Interface can't ping LAN interface hosts:

                          And I used the ping in pfsense and can ping 10.9.0.2

                          I asked to try the ping in two ways to investigate the issue. One time with default and second with OpenVPN sever as source. Are the pings successful in both methods?

                          ..but didn't get a satisfying answer. I have to know, what exactly happens in one case and what in the other one.

                          I also told you to do

                          @viragomann said in VPN Interface can't ping LAN interface hosts:

                          @w0lverine said in VPN Interface can't ping LAN interface hosts:

                          Than I pushed out a route push "route 10.9.0.1 255.255.0.0" on the vpn server but that didn't work either.

                          Instead of that use the "Local Network/s" box. Type in
                          10.9.0.0/16

                          but you still go on

                          @w0lverine said in VPN Interface can't ping LAN interface hosts:

                          I added a route to the openvpn server push "route 10.9.0.0/16"

                          So since you're not doing what I advised and give feedback, I'm not able to help.

                          W 1 Reply Last reply Reply Quote 0
                          • W Offline
                            w0lverine @viragomann
                            last edited by w0lverine

                            @viragomann Excuse me, you don't have to be rude. I was actually not surprised you said what you said based on your previous comment. There is a difference between being direct and being rude. Learn to Master it.

                            But on to the question.

                            @w0lverine said in VPN Interface can't ping LAN interface hosts:

                            @viragomann Thanks for the help.
                            First I can now ping the 10.9.0.1 gateway but still can not ping the 10.9.0.2 host

                            1. I added a route to the openvpn server push "route 10.9.0.0/16"

                            So there is some miscommunication going on here. It was my misunderstanding I need to replace push "route 10.9.0.1 255.255.0.0" with push route 10.9.0.0/16 but looking more carefully, you meant there is a section in the server to add just 10.9.0.0/16 in. Which currently I have 10.10.0.0./16 in. Is this the same section you are referring to?

                            Screen Shot 2019-10-01 at 10.27.16 AM.png
                            As for using ping in the diagnostics section my response:

                            @w0lverine said in VPN Interface can't ping LAN interface hosts:

                            @viragomann Pinging my host from the LAN side pings the gateways but not my host... So there is my issue. The lan can't ping my host hence the host can't ping the LAN.... So why can't it...mmm. Looking more into it.

                            To clarify I did more than just above:
                            One time with default - Successful ping
                            Openvpn as source - Failed ping

                            V 1 Reply Last reply Reply Quote 0
                            • V Offline
                              viragomann @w0lverine
                              last edited by

                              I don't get rude, I stated that I not able to help, if I don't get answers to my questions and you don't heed my advice.

                              @w0lverine said in VPN Interface can't ping LAN interface hosts:

                              I need to replace push "route 10.9.0.1 255.255.0.0"

                              That option is handled by the "IPv4 Local network(s)" section in the GUI. However, that option is only visible if "Redirect IPv4 Gateway" is not ticked.
                              Having that ticked and add a push route command into the custom options may end up in an odd behaviour.

                              @w0lverine said in VPN Interface can't ping LAN interface hosts:

                              To clarify I did more than just above:
                              One time with default - Successful ping
                              Openvpn as source - Failed ping

                              If that is the case, there are two possible reasons:

                              • The pfSense is not the default gateway on the host.
                              • The host blocks access from outside its own subnet. If that's the case you have to solve it on the host.
                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.