Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 instances, cannot ping local machines through first vpn

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 4 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phil123456
      last edited by

      Hello,

      I got two pfsense box

      they are linked to the same LAN network (192.168.1.0) with ip 192.168.1.1 and 192.168.1.2 and they can ping each other

      my vpn is installed on the first instance, and through the VPN I can then ping all the machines but I cannot ping 192.168.1.2

      although they are all on the same network

      can someone enlight me ? how is this possible ?

      thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        And your pinging 192.168.1.2 from what IP when your connected via the vpn on pfsense 1?

        What is the tunnel network, that you assign to your vpn client?  Your clients on the network using 192.168.1.1 as gateway would be able to answer back no matter what IP it is.

        But why would pfsense 2 talk to pfsense 1 to get to where??  And what are teh firewall rules on pfsense 2 btw?  If your normally set for lan net that allow, why would the firewall even allow some vpn tunnel network from pfsense 1 to ping it?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • P
          phil123456
          last edited by

          Actualy I cant ping 192.168.1.2(pfsense local nic)
          192.168.1.23 and 192.168.1.24 (web front ends)

          "And your pinging 192.168.1.2 from what IP when your connected via the vpn on pfsense 1?"

          my local pc gets 192.168.2.2

          "What is the tunnel network, that you assign to your vpn client?"

          192.168.2.0/24
          witch was the default one in the settings, I thought it is supposed to be a different subnet not to conflict with tthe local one

          "Your clients on the network using 192.168.1.1 as gateway would be able to answer back no matter what IP it is."

          Ethernet adapter Local Area Connection 2:

          Connection-specific DNS Suffix  . :
            Link-local IPv6 Address . . . . . : fe80::7d8b:d819:a21a:5440%19
            IPv4 Address. . . . . . . . . . . : 192.168.2.2
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . :

          on my pc, openvpn client does not configure a gateway, dont know if it is supposed to be that way …

          "But why would pfsense 2 talk to pfsense 1 to get to where??  And what are teh firewall rules on pfsense 2 btw?  If your normally set for lan net that allow, why would the firewall even allow some vpn tunnel network from pfsense 1 to ping it?"

          pfsense load balance a couple of machines(apache) and pfsense2 load balance other machines(lighthttpd)
          but they are all on the same vlan/network

          I just use pfsense 1 to vpn to that network...never said pfsense 1 should talk to pfsense 2,
          If I take pfsense console I can ping the other pfsense
          I just cant ping them through the VPN although they are on the same network

          pfsense 2 has default fwall rules

          also as I enabled split tuneling, I added :

          push "route 192.168.1.0 255.255.255.0"

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            So if you attempt to access pfSense2 over VPN it will send response packets to its default upstream gateway instead of back to pfSense1.

            You will have to add a static route to pfSense2 to direct packets meant to VPN network to pfSense1.

            System > Routing
            First add your pfSense1 LAN address as gateway here on LAN interface. Do not check "default gateway".
            Then go on the static routes tab and add a route for your VPN tunnel network 192.168.2.0/24 and select the gateway you've added above.

            1 Reply Last reply Reply Quote 0
            • P
              phil123456
              last edited by

              wonderfull
              so from my pc I can ping 192.168.1.23 and 24 but not the gateway 192.168.1.2 (not really a prroblem so far)

              but why is html not passing through ?

              I cant reach those web servers with firefox

              pretty sure I have to add a rule in the fwall ? on both gateways ?

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                @phil123456:

                but why is html not passing through ?

                I cant reach those web servers with firefox

                You want to reach websites on 192.168.1.23 and 24 over VPN? Presumable by their public hostname?
                To get this work, you need an internal DNS (split DNS) and push the DNS server to your VPN client or you can activate NAT reflection in the appropriate NAT rules.

                1 Reply Last reply Reply Quote 0
                • P
                  phil123456
                  last edited by

                  no, only via ip adress

                  there is no dns, I use static ip's and host files, my frontends are managed via vpn and load balanced via pfSense

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    To access them via  internal IP shouldn't be a problem. You just need a firewall rule on VPN interface which allow this.
                    From routing aspect, if ping works to these web servers, web access should work also.

                    If it doesn't enable logging and check the firewall logs if it is blocked by pfSense.

                    1 Reply Last reply Reply Quote 0
                    • P
                      phil123456
                      last edited by

                      in firewall/rules/openvpn

                      for IPV4 I got a * * * * * rule created by openvpn wizard

                      I also tested ssh connections, it does not work

                      I tried adding a * * * * LAN rule as a test on both firewall, but with no luck

                      I dont see any entry in the logs concerning the ip I try to access

                      1 Reply Last reply Reply Quote 0
                      • P
                        phil123456
                        last edited by

                        is the traffic in the firewall log blocked ? cos I added 2 rules LAN

                        source 192.168.2.0/24
                        destination 192.168.1.0/24

                        and

                        source 192.168.1.0/24
                        destination 192.168.2.0/24

                        now the entries concerning my http requests on 192.168.1.23 dont show up anymore in the log, but I still cannot access it via firefox

                        also something weird: in the logs, port 80 is the source port while it should be the destination port

                        1 Reply Last reply Reply Quote 0
                        • P
                          phil123456
                          last edited by

                          anyone ?

                          please this is a serious issue and I really need help on this one

                          thanks

                          1 Reply Last reply Reply Quote 0
                          • V
                            viragomann
                            last edited by

                            So what tells the filter log?
                            Post a screenshot, please.

                            Also post your clients routing table.

                            1 Reply Last reply Reply Quote 0
                            • P
                              phil123456
                              last edited by

                              bellow are my fwal rules, route print and filter log on second pfsense

                              as mentioned before it really seems odd that the port 80 is at the source and not the destination

                              on the first pfsense(VPN)

                              on the second pfsense

                              
                              Ethernet adapter Local Area Connection 2:
                              
                                 Connection-specific DNS Suffix  . :
                                 Link-local IPv6 Address . . . . . : fe80::7d8b:d819:a21a:5440%19
                                 IPv4 Address. . . . . . . . . . . : 192.168.2.2
                                 Subnet Mask . . . . . . . . . . . : 255.255.255.0
                                 Default Gateway . . . . . . . . . :
                              
                              Ethernet adapter Local Area Connection:
                              
                                 Connection-specific DNS Suffix  . : ***************.net
                                 Link-local IPv6 Address . . . . . : fe80::249d:c73d:286b:eac1%11
                                 IPv4 Address. . . . . . . . . . . : 172.16.27.168
                                 Subnet Mask . . . . . . . . . . . : 255.255.255.128
                                 Default Gateway . . . . . . . . . : 172.16.27.254
                              
                              Ethernet adapter VMware Network Adapter VMnet1:
                              
                                 Connection-specific DNS Suffix  . :
                                 Link-local IPv6 Address . . . . . : fe80::1813:2fe0:5bcb:1930%16
                                 IPv4 Address. . . . . . . . . . . : 192.168.88.1
                                 Subnet Mask . . . . . . . . . . . : 255.255.255.0
                                 Default Gateway . . . . . . . . . :
                              
                              Ethernet adapter VMware Network Adapter VMnet8:
                              
                                 Connection-specific DNS Suffix  . :
                                 Link-local IPv6 Address . . . . . : fe80::f435:d6ac:24e4:15ab%17
                                 IPv4 Address. . . . . . . . . . . : 192.168.29.1
                                 Subnet Mask . . . . . . . . . . . : 255.255.255.0
                                 Default Gateway . . . . . . . . . :
                              
                              
                              ===========================================================================
                              Interface List
                               19...00 ff 28 05 3d 13 ......TAP-Windows Adapter V9
                               11...88 51 fb 40 a4 b3 ......Intel(R) 82579LM Gigabit Network Connection
                               16...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
                               17...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
                                1...........................Software Loopback Interface 1
                               13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
                               12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
                               15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
                               14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
                               18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
                              ===========================================================================
                              
                              IPv4 Route Table
                              ===========================================================================
                              Active Routes:
                              Network Destination        Netmask          Gateway       Interface  Metric
                                        0.0.0.0          0.0.0.0    172.16.27.254    172.16.27.168    266
                                      127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
                                      127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
                                127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
                                  172.16.27.128  255.255.255.128         On-link     172.16.27.168    266
                                  172.16.27.168  255.255.255.255         On-link     172.16.27.168    266
                                  172.16.27.255  255.255.255.255         On-link     172.16.27.168    266
                                    192.168.1.0    255.255.255.0      192.168.2.1      192.168.2.2     20
                                    192.168.2.0    255.255.255.0         On-link       192.168.2.2    276
                                    192.168.2.2  255.255.255.255         On-link       192.168.2.2    276
                                  192.168.2.255  255.255.255.255         On-link       192.168.2.2    276
                                   192.168.29.0    255.255.255.0         On-link      192.168.29.1    276
                                   192.168.29.1  255.255.255.255         On-link      192.168.29.1    276
                                 192.168.29.255  255.255.255.255         On-link      192.168.29.1    276
                                   192.168.88.0    255.255.255.0         On-link      192.168.88.1    276
                                   192.168.88.1  255.255.255.255         On-link      192.168.88.1    276
                                 192.168.88.255  255.255.255.255         On-link      192.168.88.1    276
                                      224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
                                      224.0.0.0        240.0.0.0         On-link       192.168.2.2    276
                                      224.0.0.0        240.0.0.0         On-link      192.168.88.1    276
                                      224.0.0.0        240.0.0.0         On-link      192.168.29.1    276
                                      224.0.0.0        240.0.0.0         On-link     172.16.27.168    266
                                255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
                                255.255.255.255  255.255.255.255         On-link       192.168.2.2    276
                                255.255.255.255  255.255.255.255         On-link      192.168.88.1    276
                                255.255.255.255  255.255.255.255         On-link      192.168.29.1    276
                                255.255.255.255  255.255.255.255         On-link     172.16.27.168    266
                              ===========================================================================
                              Persistent Routes:
                                Network Address          Netmask  Gateway Address  Metric
                                        0.0.0.0          0.0.0.0    172.16.27.254  Default
                              ===========================================================================
                              
                              IPv6 Route Table
                              ===========================================================================
                              Active Routes:
                               If Metric Network Destination      Gateway
                                1    306 ::1/128                  On-link
                               19    276 fe80::/64                On-link
                               16    276 fe80::/64                On-link
                               17    276 fe80::/64                On-link
                               11    266 fe80::/64                On-link
                               16    276 fe80::1813:2fe0:5bcb:1930/128
                                                                  On-link
                               11    266 fe80::249d:c73d:286b:eac1/128
                                                                  On-link
                               19    276 fe80::7d8b:d819:a21a:5440/128
                                                                  On-link
                               17    276 fe80::f435:d6ac:24e4:15ab/128
                                                                  On-link
                                1    306 ff00::/8                 On-link
                               19    276 ff00::/8                 On-link
                               16    276 ff00::/8                 On-link
                               17    276 ff00::/8                 On-link
                               11    266 ff00::/8                 On-link
                              ===========================================================================
                              Persistent Routes:
                                None
                              
                              

                              the filter log on the second pfsense
                              apparently the adress I try to ping( 192.168.1.23)  is comming back

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                Your firewall log is showing 192.168.1.23 trying to answer, but its going through your second pfsense so this traffic is out of state, so yeah it would be blocked.

                                So we are all clear what your doing..  The attached is your network?  And what your trying to do.

                                What is the gateway for this server?

                                As I tried to explain before..  If your vpn user is coming in pfsense 1 and has a IP address of 192.168.2.x, for server to answer it will need to know to talk to pfsense 1 to talk to 192.168.2/?  Or it will need to use pfsense 1 as its default gateway.

                                For vpn user to talk to pfsense 2, its lan rules will have to allow access from 192.168.2/?  And it will need to know to get to back to 192.168.2.x it needs to talk to pfsense 1.

                                vpndualpfsense.png
                                vpndualpfsense.png_thumb

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • P
                                  phil123456
                                  last edited by

                                  you told me to set a static route so 192.168.1.23 would reply vi vpn  (192.168.1.1) instead of its default gateway (192.168.1.2)

                                  I created that route, so the ping is working… but not other protocols, so is it not a firewall rule issue ? (shouldn't be since it's all local communications, even for the vpn)

                                  maybe my setup is not right, but it looks pretty straightforward, am I missing something ?

                                  apparently only ping modifies the usage of the static route

                                  just found out in the doc, when using VPN, one should not use static routes but network definitions

                                  https://doc.pfsense.org/index.php/Static_Routes
                                  "Never add static routes for networks reachable via OpenVPN. Such routes are managed by OpenVPN itself using Remote Network definitions, not static routes."

                                  but it does not give more details…

                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann
                                    last edited by

                                    The doc you mentioned is meant for VPN and static route on a unique node not on different ones.

                                    However, yes, in your case the static route has to be set to each LAN host you want to reach to work properly. If these are only the mentioned two hosts this is not a big work.

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      Or outbound NAT on the 192.168.1.1 interface so connections from the VPN clients to LAN hosts masquerade as source IP 192.168.1.1.  If you need to identify what OpenVPN client is making the connections you could use a range of IP addresses, VIPs, and 1:1 NAT.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        phil123456
                                        last edited by

                                        sudo route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1

                                        works like a charm

                                        so apparently pfsense2 receives the packets returning from 192.168.1.23

                                        and cannot send them to the pfsense1 although a lan to lan full allowing rule is in place

                                        not nice but efficient :-)
                                        also I use a config pusher so in case of more machines I can still push that rule (I guess, gonna check that out)

                                        thanks for your wonderfull support everyone

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.