• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

2 instances, cannot ping local machines through first vpn

Scheduled Pinned Locked Moved General pfSense Questions
18 Posts 4 Posters 3.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    phil123456
    last edited by Jun 10, 2016, 8:58 AM

    Hello,

    I got two pfsense box

    they are linked to the same LAN network (192.168.1.0) with ip 192.168.1.1 and 192.168.1.2 and they can ping each other

    my vpn is installed on the first instance, and through the VPN I can then ping all the machines but I cannot ping 192.168.1.2

    although they are all on the same network

    can someone enlight me ? how is this possible ?

    thanks

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Jun 11, 2016, 4:27 PM

      And your pinging 192.168.1.2 from what IP when your connected via the vpn on pfsense 1?

      What is the tunnel network, that you assign to your vpn client?  Your clients on the network using 192.168.1.1 as gateway would be able to answer back no matter what IP it is.

      But why would pfsense 2 talk to pfsense 1 to get to where??  And what are teh firewall rules on pfsense 2 btw?  If your normally set for lan net that allow, why would the firewall even allow some vpn tunnel network from pfsense 1 to ping it?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • P
        phil123456
        last edited by Jun 13, 2016, 9:01 AM Jun 13, 2016, 8:37 AM

        Actualy I cant ping 192.168.1.2(pfsense local nic)
        192.168.1.23 and 192.168.1.24 (web front ends)

        "And your pinging 192.168.1.2 from what IP when your connected via the vpn on pfsense 1?"

        my local pc gets 192.168.2.2

        "What is the tunnel network, that you assign to your vpn client?"

        192.168.2.0/24
        witch was the default one in the settings, I thought it is supposed to be a different subnet not to conflict with tthe local one

        "Your clients on the network using 192.168.1.1 as gateway would be able to answer back no matter what IP it is."

        Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . :
          Link-local IPv6 Address . . . . . : fe80::7d8b:d819:a21a:5440%19
          IPv4 Address. . . . . . . . . . . : 192.168.2.2
          Subnet Mask . . . . . . . . . . . : 255.255.255.0
          Default Gateway . . . . . . . . . :

        on my pc, openvpn client does not configure a gateway, dont know if it is supposed to be that way …

        "But why would pfsense 2 talk to pfsense 1 to get to where??  And what are teh firewall rules on pfsense 2 btw?  If your normally set for lan net that allow, why would the firewall even allow some vpn tunnel network from pfsense 1 to ping it?"

        pfsense load balance a couple of machines(apache) and pfsense2 load balance other machines(lighthttpd)
        but they are all on the same vlan/network

        I just use pfsense 1 to vpn to that network...never said pfsense 1 should talk to pfsense 2,
        If I take pfsense console I can ping the other pfsense
        I just cant ping them through the VPN although they are on the same network

        pfsense 2 has default fwall rules

        also as I enabled split tuneling, I added :

        push "route 192.168.1.0 255.255.255.0"

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by Jun 13, 2016, 12:00 PM

          So if you attempt to access pfSense2 over VPN it will send response packets to its default upstream gateway instead of back to pfSense1.

          You will have to add a static route to pfSense2 to direct packets meant to VPN network to pfSense1.

          System > Routing
          First add your pfSense1 LAN address as gateway here on LAN interface. Do not check "default gateway".
          Then go on the static routes tab and add a route for your VPN tunnel network 192.168.2.0/24 and select the gateway you've added above.

          1 Reply Last reply Reply Quote 0
          • P
            phil123456
            last edited by Jun 14, 2016, 6:30 AM

            wonderfull
            so from my pc I can ping 192.168.1.23 and 24 but not the gateway 192.168.1.2 (not really a prroblem so far)

            but why is html not passing through ?

            I cant reach those web servers with firefox

            pretty sure I have to add a rule in the fwall ? on both gateways ?

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by Jun 14, 2016, 7:41 AM

              @phil123456:

              but why is html not passing through ?

              I cant reach those web servers with firefox

              You want to reach websites on 192.168.1.23 and 24 over VPN? Presumable by their public hostname?
              To get this work, you need an internal DNS (split DNS) and push the DNS server to your VPN client or you can activate NAT reflection in the appropriate NAT rules.

              1 Reply Last reply Reply Quote 0
              • P
                phil123456
                last edited by Jun 14, 2016, 10:07 AM

                no, only via ip adress

                there is no dns, I use static ip's and host files, my frontends are managed via vpn and load balanced via pfSense

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by Jun 14, 2016, 10:25 AM

                  To access them via  internal IP shouldn't be a problem. You just need a firewall rule on VPN interface which allow this.
                  From routing aspect, if ping works to these web servers, web access should work also.

                  If it doesn't enable logging and check the firewall logs if it is blocked by pfSense.

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil123456
                    last edited by Jun 14, 2016, 10:47 AM Jun 14, 2016, 10:40 AM

                    in firewall/rules/openvpn

                    for IPV4 I got a * * * * * rule created by openvpn wizard

                    I also tested ssh connections, it does not work

                    I tried adding a * * * * LAN rule as a test on both firewall, but with no luck

                    I dont see any entry in the logs concerning the ip I try to access

                    1 Reply Last reply Reply Quote 0
                    • P
                      phil123456
                      last edited by Jun 14, 2016, 1:52 PM Jun 14, 2016, 1:34 PM

                      is the traffic in the firewall log blocked ? cos I added 2 rules LAN

                      source 192.168.2.0/24
                      destination 192.168.1.0/24

                      and

                      source 192.168.1.0/24
                      destination 192.168.2.0/24

                      now the entries concerning my http requests on 192.168.1.23 dont show up anymore in the log, but I still cannot access it via firefox

                      also something weird: in the logs, port 80 is the source port while it should be the destination port

                      1 Reply Last reply Reply Quote 0
                      • P
                        phil123456
                        last edited by Jun 15, 2016, 6:13 AM

                        anyone ?

                        please this is a serious issue and I really need help on this one

                        thanks

                        1 Reply Last reply Reply Quote 0
                        • V
                          viragomann
                          last edited by Jun 15, 2016, 8:34 AM

                          So what tells the filter log?
                          Post a screenshot, please.

                          Also post your clients routing table.

                          1 Reply Last reply Reply Quote 0
                          • P
                            phil123456
                            last edited by Jun 15, 2016, 1:40 PM Jun 15, 2016, 1:34 PM

                            bellow are my fwal rules, route print and filter log on second pfsense

                            as mentioned before it really seems odd that the port 80 is at the source and not the destination

                            on the first pfsense(VPN)

                            on the second pfsense

                            
                            Ethernet adapter Local Area Connection 2:
                            
                               Connection-specific DNS Suffix  . :
                               Link-local IPv6 Address . . . . . : fe80::7d8b:d819:a21a:5440%19
                               IPv4 Address. . . . . . . . . . . : 192.168.2.2
                               Subnet Mask . . . . . . . . . . . : 255.255.255.0
                               Default Gateway . . . . . . . . . :
                            
                            Ethernet adapter Local Area Connection:
                            
                               Connection-specific DNS Suffix  . : ***************.net
                               Link-local IPv6 Address . . . . . : fe80::249d:c73d:286b:eac1%11
                               IPv4 Address. . . . . . . . . . . : 172.16.27.168
                               Subnet Mask . . . . . . . . . . . : 255.255.255.128
                               Default Gateway . . . . . . . . . : 172.16.27.254
                            
                            Ethernet adapter VMware Network Adapter VMnet1:
                            
                               Connection-specific DNS Suffix  . :
                               Link-local IPv6 Address . . . . . : fe80::1813:2fe0:5bcb:1930%16
                               IPv4 Address. . . . . . . . . . . : 192.168.88.1
                               Subnet Mask . . . . . . . . . . . : 255.255.255.0
                               Default Gateway . . . . . . . . . :
                            
                            Ethernet adapter VMware Network Adapter VMnet8:
                            
                               Connection-specific DNS Suffix  . :
                               Link-local IPv6 Address . . . . . : fe80::f435:d6ac:24e4:15ab%17
                               IPv4 Address. . . . . . . . . . . : 192.168.29.1
                               Subnet Mask . . . . . . . . . . . : 255.255.255.0
                               Default Gateway . . . . . . . . . :
                            
                            
                            ===========================================================================
                            Interface List
                             19...00 ff 28 05 3d 13 ......TAP-Windows Adapter V9
                             11...88 51 fb 40 a4 b3 ......Intel(R) 82579LM Gigabit Network Connection
                             16...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
                             17...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
                              1...........................Software Loopback Interface 1
                             13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
                             12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
                             15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
                             14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
                             18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
                            ===========================================================================
                            
                            IPv4 Route Table
                            ===========================================================================
                            Active Routes:
                            Network Destination        Netmask          Gateway       Interface  Metric
                                      0.0.0.0          0.0.0.0    172.16.27.254    172.16.27.168    266
                                    127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
                                    127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
                              127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
                                172.16.27.128  255.255.255.128         On-link     172.16.27.168    266
                                172.16.27.168  255.255.255.255         On-link     172.16.27.168    266
                                172.16.27.255  255.255.255.255         On-link     172.16.27.168    266
                                  192.168.1.0    255.255.255.0      192.168.2.1      192.168.2.2     20
                                  192.168.2.0    255.255.255.0         On-link       192.168.2.2    276
                                  192.168.2.2  255.255.255.255         On-link       192.168.2.2    276
                                192.168.2.255  255.255.255.255         On-link       192.168.2.2    276
                                 192.168.29.0    255.255.255.0         On-link      192.168.29.1    276
                                 192.168.29.1  255.255.255.255         On-link      192.168.29.1    276
                               192.168.29.255  255.255.255.255         On-link      192.168.29.1    276
                                 192.168.88.0    255.255.255.0         On-link      192.168.88.1    276
                                 192.168.88.1  255.255.255.255         On-link      192.168.88.1    276
                               192.168.88.255  255.255.255.255         On-link      192.168.88.1    276
                                    224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
                                    224.0.0.0        240.0.0.0         On-link       192.168.2.2    276
                                    224.0.0.0        240.0.0.0         On-link      192.168.88.1    276
                                    224.0.0.0        240.0.0.0         On-link      192.168.29.1    276
                                    224.0.0.0        240.0.0.0         On-link     172.16.27.168    266
                              255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
                              255.255.255.255  255.255.255.255         On-link       192.168.2.2    276
                              255.255.255.255  255.255.255.255         On-link      192.168.88.1    276
                              255.255.255.255  255.255.255.255         On-link      192.168.29.1    276
                              255.255.255.255  255.255.255.255         On-link     172.16.27.168    266
                            ===========================================================================
                            Persistent Routes:
                              Network Address          Netmask  Gateway Address  Metric
                                      0.0.0.0          0.0.0.0    172.16.27.254  Default
                            ===========================================================================
                            
                            IPv6 Route Table
                            ===========================================================================
                            Active Routes:
                             If Metric Network Destination      Gateway
                              1    306 ::1/128                  On-link
                             19    276 fe80::/64                On-link
                             16    276 fe80::/64                On-link
                             17    276 fe80::/64                On-link
                             11    266 fe80::/64                On-link
                             16    276 fe80::1813:2fe0:5bcb:1930/128
                                                                On-link
                             11    266 fe80::249d:c73d:286b:eac1/128
                                                                On-link
                             19    276 fe80::7d8b:d819:a21a:5440/128
                                                                On-link
                             17    276 fe80::f435:d6ac:24e4:15ab/128
                                                                On-link
                              1    306 ff00::/8                 On-link
                             19    276 ff00::/8                 On-link
                             16    276 ff00::/8                 On-link
                             17    276 ff00::/8                 On-link
                             11    266 ff00::/8                 On-link
                            ===========================================================================
                            Persistent Routes:
                              None
                            
                            

                            the filter log on the second pfsense
                            apparently the adress I try to ping( 192.168.1.23)  is comming back

                            1 Reply Last reply Reply Quote 0
                            • J
                              johnpoz LAYER 8 Global Moderator
                              last edited by Jun 15, 2016, 2:14 PM

                              Your firewall log is showing 192.168.1.23 trying to answer, but its going through your second pfsense so this traffic is out of state, so yeah it would be blocked.

                              So we are all clear what your doing..  The attached is your network?  And what your trying to do.

                              What is the gateway for this server?

                              As I tried to explain before..  If your vpn user is coming in pfsense 1 and has a IP address of 192.168.2.x, for server to answer it will need to know to talk to pfsense 1 to talk to 192.168.2/?  Or it will need to use pfsense 1 as its default gateway.

                              For vpn user to talk to pfsense 2, its lan rules will have to allow access from 192.168.2/?  And it will need to know to get to back to 192.168.2.x it needs to talk to pfsense 1.

                              vpndualpfsense.png
                              vpndualpfsense.png_thumb

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • P
                                phil123456
                                last edited by Jun 16, 2016, 7:33 AM Jun 16, 2016, 6:21 AM

                                you told me to set a static route so 192.168.1.23 would reply vi vpn  (192.168.1.1) instead of its default gateway (192.168.1.2)

                                I created that route, so the ping is working… but not other protocols, so is it not a firewall rule issue ? (shouldn't be since it's all local communications, even for the vpn)

                                maybe my setup is not right, but it looks pretty straightforward, am I missing something ?

                                apparently only ping modifies the usage of the static route

                                just found out in the doc, when using VPN, one should not use static routes but network definitions

                                https://doc.pfsense.org/index.php/Static_Routes
                                "Never add static routes for networks reachable via OpenVPN. Such routes are managed by OpenVPN itself using Remote Network definitions, not static routes."

                                but it does not give more details…

                                1 Reply Last reply Reply Quote 0
                                • V
                                  viragomann
                                  last edited by Jun 16, 2016, 7:47 AM

                                  The doc you mentioned is meant for VPN and static route on a unique node not on different ones.

                                  However, yes, in your case the static route has to be set to each LAN host you want to reach to work properly. If these are only the mentioned two hosts this is not a big work.

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    Derelict LAYER 8 Netgate
                                    last edited by Jun 16, 2016, 8:57 AM

                                    Or outbound NAT on the 192.168.1.1 interface so connections from the VPN clients to LAN hosts masquerade as source IP 192.168.1.1.  If you need to identify what OpenVPN client is making the connections you could use a range of IP addresses, VIPs, and 1:1 NAT.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      phil123456
                                      last edited by Jun 16, 2016, 9:42 AM

                                      sudo route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1

                                      works like a charm

                                      so apparently pfsense2 receives the packets returning from 192.168.1.23

                                      and cannot send them to the pfsense1 although a lan to lan full allowing rule is in place

                                      not nice but efficient :-)
                                      also I use a config pusher so in case of more machines I can still push that rule (I guess, gonna check that out)

                                      thanks for your wonderfull support everyone

                                      1 Reply Last reply Reply Quote 0
                                      18 out of 18
                                      • First post
                                        18/18
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                        This community forum collects and processes your personal information.
                                        consent.not_received