2 instances, cannot ping local machines through first vpn



  • Hello,

    I got two pfsense box

    they are linked to the same LAN network (192.168.1.0) with ip 192.168.1.1 and 192.168.1.2 and they can ping each other

    my vpn is installed on the first instance, and through the VPN I can then ping all the machines but I cannot ping 192.168.1.2

    although they are all on the same network

    can someone enlight me ? how is this possible ?

    thanks


  • Rebel Alliance Global Moderator

    And your pinging 192.168.1.2 from what IP when your connected via the vpn on pfsense 1?

    What is the tunnel network, that you assign to your vpn client?  Your clients on the network using 192.168.1.1 as gateway would be able to answer back no matter what IP it is.

    But why would pfsense 2 talk to pfsense 1 to get to where??  And what are teh firewall rules on pfsense 2 btw?  If your normally set for lan net that allow, why would the firewall even allow some vpn tunnel network from pfsense 1 to ping it?



  • Actualy I cant ping 192.168.1.2(pfsense local nic)
    192.168.1.23 and 192.168.1.24 (web front ends)

    "And your pinging 192.168.1.2 from what IP when your connected via the vpn on pfsense 1?"

    my local pc gets 192.168.2.2

    "What is the tunnel network, that you assign to your vpn client?"

    192.168.2.0/24
    witch was the default one in the settings, I thought it is supposed to be a different subnet not to conflict with tthe local one

    "Your clients on the network using 192.168.1.1 as gateway would be able to answer back no matter what IP it is."

    Ethernet adapter Local Area Connection 2:

    Connection-specific DNS Suffix  . :
      Link-local IPv6 Address . . . . . : fe80::7d8b:d819:a21a:5440%19
      IPv4 Address. . . . . . . . . . . : 192.168.2.2
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . :

    on my pc, openvpn client does not configure a gateway, dont know if it is supposed to be that way …

    "But why would pfsense 2 talk to pfsense 1 to get to where??  And what are teh firewall rules on pfsense 2 btw?  If your normally set for lan net that allow, why would the firewall even allow some vpn tunnel network from pfsense 1 to ping it?"

    pfsense load balance a couple of machines(apache) and pfsense2 load balance other machines(lighthttpd)
    but they are all on the same vlan/network

    I just use pfsense 1 to vpn to that network...never said pfsense 1 should talk to pfsense 2,
    If I take pfsense console I can ping the other pfsense
    I just cant ping them through the VPN although they are on the same network

    pfsense 2 has default fwall rules

    also as I enabled split tuneling, I added :

    push "route 192.168.1.0 255.255.255.0"



  • So if you attempt to access pfSense2 over VPN it will send response packets to its default upstream gateway instead of back to pfSense1.

    You will have to add a static route to pfSense2 to direct packets meant to VPN network to pfSense1.

    System > Routing
    First add your pfSense1 LAN address as gateway here on LAN interface. Do not check "default gateway".
    Then go on the static routes tab and add a route for your VPN tunnel network 192.168.2.0/24 and select the gateway you've added above.



  • wonderfull
    so from my pc I can ping 192.168.1.23 and 24 but not the gateway 192.168.1.2 (not really a prroblem so far)

    but why is html not passing through ?

    I cant reach those web servers with firefox

    pretty sure I have to add a rule in the fwall ? on both gateways ?



  • @phil123456:

    but why is html not passing through ?

    I cant reach those web servers with firefox

    You want to reach websites on 192.168.1.23 and 24 over VPN? Presumable by their public hostname?
    To get this work, you need an internal DNS (split DNS) and push the DNS server to your VPN client or you can activate NAT reflection in the appropriate NAT rules.



  • no, only via ip adress

    there is no dns, I use static ip's and host files, my frontends are managed via vpn and load balanced via pfSense



  • To access them via  internal IP shouldn't be a problem. You just need a firewall rule on VPN interface which allow this.
    From routing aspect, if ping works to these web servers, web access should work also.

    If it doesn't enable logging and check the firewall logs if it is blocked by pfSense.



  • in firewall/rules/openvpn

    for IPV4 I got a * * * * * rule created by openvpn wizard

    I also tested ssh connections, it does not work

    I tried adding a * * * * LAN rule as a test on both firewall, but with no luck

    I dont see any entry in the logs concerning the ip I try to access



  • is the traffic in the firewall log blocked ? cos I added 2 rules LAN

    source 192.168.2.0/24
    destination 192.168.1.0/24

    and

    source 192.168.1.0/24
    destination 192.168.2.0/24

    now the entries concerning my http requests on 192.168.1.23 dont show up anymore in the log, but I still cannot access it via firefox

    also something weird: in the logs, port 80 is the source port while it should be the destination port



  • anyone ?

    please this is a serious issue and I really need help on this one

    thanks



  • So what tells the filter log?
    Post a screenshot, please.

    Also post your clients routing table.



  • bellow are my fwal rules, route print and filter log on second pfsense

    as mentioned before it really seems odd that the port 80 is at the source and not the destination

    on the first pfsense(VPN)

    on the second pfsense

    
    Ethernet adapter Local Area Connection 2:
    
       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::7d8b:d819:a21a:5440%19
       IPv4 Address. . . . . . . . . . . : 192.168.2.2
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . : ***************.net
       Link-local IPv6 Address . . . . . : fe80::249d:c73d:286b:eac1%11
       IPv4 Address. . . . . . . . . . . : 172.16.27.168
       Subnet Mask . . . . . . . . . . . : 255.255.255.128
       Default Gateway . . . . . . . . . : 172.16.27.254
    
    Ethernet adapter VMware Network Adapter VMnet1:
    
       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::1813:2fe0:5bcb:1930%16
       IPv4 Address. . . . . . . . . . . : 192.168.88.1
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
    
    Ethernet adapter VMware Network Adapter VMnet8:
    
       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::f435:d6ac:24e4:15ab%17
       IPv4 Address. . . . . . . . . . . : 192.168.29.1
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
    
    
    ===========================================================================
    Interface List
     19...00 ff 28 05 3d 13 ......TAP-Windows Adapter V9
     11...88 51 fb 40 a4 b3 ......Intel(R) 82579LM Gigabit Network Connection
     16...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
     17...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
      1...........................Software Loopback Interface 1
     13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
     18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0    172.16.27.254    172.16.27.168    266
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        172.16.27.128  255.255.255.128         On-link     172.16.27.168    266
        172.16.27.168  255.255.255.255         On-link     172.16.27.168    266
        172.16.27.255  255.255.255.255         On-link     172.16.27.168    266
          192.168.1.0    255.255.255.0      192.168.2.1      192.168.2.2     20
          192.168.2.0    255.255.255.0         On-link       192.168.2.2    276
          192.168.2.2  255.255.255.255         On-link       192.168.2.2    276
        192.168.2.255  255.255.255.255         On-link       192.168.2.2    276
         192.168.29.0    255.255.255.0         On-link      192.168.29.1    276
         192.168.29.1  255.255.255.255         On-link      192.168.29.1    276
       192.168.29.255  255.255.255.255         On-link      192.168.29.1    276
         192.168.88.0    255.255.255.0         On-link      192.168.88.1    276
         192.168.88.1  255.255.255.255         On-link      192.168.88.1    276
       192.168.88.255  255.255.255.255         On-link      192.168.88.1    276
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       192.168.2.2    276
            224.0.0.0        240.0.0.0         On-link      192.168.88.1    276
            224.0.0.0        240.0.0.0         On-link      192.168.29.1    276
            224.0.0.0        240.0.0.0         On-link     172.16.27.168    266
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       192.168.2.2    276
      255.255.255.255  255.255.255.255         On-link      192.168.88.1    276
      255.255.255.255  255.255.255.255         On-link      192.168.29.1    276
      255.255.255.255  255.255.255.255         On-link     172.16.27.168    266
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0    172.16.27.254  Default
    ===========================================================================
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
     19    276 fe80::/64                On-link
     16    276 fe80::/64                On-link
     17    276 fe80::/64                On-link
     11    266 fe80::/64                On-link
     16    276 fe80::1813:2fe0:5bcb:1930/128
                                        On-link
     11    266 fe80::249d:c73d:286b:eac1/128
                                        On-link
     19    276 fe80::7d8b:d819:a21a:5440/128
                                        On-link
     17    276 fe80::f435:d6ac:24e4:15ab/128
                                        On-link
      1    306 ff00::/8                 On-link
     19    276 ff00::/8                 On-link
     16    276 ff00::/8                 On-link
     17    276 ff00::/8                 On-link
     11    266 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None
    
    

    the filter log on the second pfsense
    apparently the adress I try to ping( 192.168.1.23)  is comming back


  • Rebel Alliance Global Moderator

    Your firewall log is showing 192.168.1.23 trying to answer, but its going through your second pfsense so this traffic is out of state, so yeah it would be blocked.

    So we are all clear what your doing..  The attached is your network?  And what your trying to do.

    What is the gateway for this server?

    As I tried to explain before..  If your vpn user is coming in pfsense 1 and has a IP address of 192.168.2.x, for server to answer it will need to know to talk to pfsense 1 to talk to 192.168.2/?  Or it will need to use pfsense 1 as its default gateway.

    For vpn user to talk to pfsense 2, its lan rules will have to allow access from 192.168.2/?  And it will need to know to get to back to 192.168.2.x it needs to talk to pfsense 1.




  • you told me to set a static route so 192.168.1.23 would reply vi vpn  (192.168.1.1) instead of its default gateway (192.168.1.2)

    I created that route, so the ping is working… but not other protocols, so is it not a firewall rule issue ? (shouldn't be since it's all local communications, even for the vpn)

    maybe my setup is not right, but it looks pretty straightforward, am I missing something ?

    apparently only ping modifies the usage of the static route

    just found out in the doc, when using VPN, one should not use static routes but network definitions

    https://doc.pfsense.org/index.php/Static_Routes
    "Never add static routes for networks reachable via OpenVPN. Such routes are managed by OpenVPN itself using Remote Network definitions, not static routes."

    but it does not give more details…



  • The doc you mentioned is meant for VPN and static route on a unique node not on different ones.

    However, yes, in your case the static route has to be set to each LAN host you want to reach to work properly. If these are only the mentioned two hosts this is not a big work.


  • Netgate

    Or outbound NAT on the 192.168.1.1 interface so connections from the VPN clients to LAN hosts masquerade as source IP 192.168.1.1.  If you need to identify what OpenVPN client is making the connections you could use a range of IP addresses, VIPs, and 1:1 NAT.



  • sudo route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1

    works like a charm

    so apparently pfsense2 receives the packets returning from 192.168.1.23

    and cannot send them to the pfsense1 although a lan to lan full allowing rule is in place

    not nice but efficient :-)
    also I use a config pusher so in case of more machines I can still push that rule (I guess, gonna check that out)

    thanks for your wonderfull support everyone