Can Ping But Cannot Access Via HTTP or HTTPS
-
Hello ... I have a site to site VPN stood up pfsense on both sides using OpenVPN. I can ping from one side to another, no problems what-so-ever, but when I try to reach the site which is hosted on that IP, no luck. I do a packet capture and all traffic seems to be flowing properly, but just times out.
-
First, post the server1.conf and the client1.conf (both located here -> /var/etc/openvpn).
Next, can you ping host to host over the tunnel... or just PFsense to PFsense? Also, please clarify what is happening here:
when I try to reach the site which is hosted on that IP, no luck.
-
I’ll post config files when I arrive home. But in regards to clarifying my other statement.
I can ping from a client hanging off the pfsense across the vpn to another client hanging off the pfsense on the other end. But when I try to load the url from that IIS server it only loads the background color and no graphics.
That same url not traversing the VPN works perfectly.
-
here are the files ... also just to re-state my previous post ... I can ping from a client hanging off the pfsense across the vpn to another client hanging off the pfsense on the other end.
But when I try to load the url from that IIS server it only loads the background color and no graphics.
That same url not traversing the VPN works perfectly.
pfsense-openvpn-client_side.txt pfsense-openvpn-server_side.txt
-
@trevordavis What is the LAN subnet at each end?
-
192.168.74/24 - server
10.74.2/24 -
I see a couple of things, which may not be the main issue, but could certainly be contributing to it:
- Both sides are double NAT'd. Not ideal, but also not a big deal in and of itself as long as there's awareness of it and you have access to the edge device if an issue presents itself
- The server-side LAN is 192.168.74.0/24, but the client is routing 192.168.0.0/16 over the tunnel. This overlaps the server-side WAN subnet and is undoubtingly causing an issue of some kind since the server's WAN IP is 192.168.74.74. At a minimum, the client-side will need to modify the IPv4 Remote network(s) line to the correct server-side LAN subnet. Worst case, the server-side may need to assign a new LAN subnet if there's overlap somewhere and then adjust the config accordingly.
- The client-side WAN IP is 10.74.1.74, but the server-side is routing 10.74.1.0/24 over the tunnel which is the client-side WAN subnet. Why are we routing the client-side's WAN subnet over the tunnel here? This should probably be removed.
Other things to look at:
- Verify the IIS server is using PFsense as the default gateway
- Verify the client-side's DNS is resolving the hostname to the correct IP