2 instances, cannot ping local machines through first vpn
-
Hello,
I got two pfsense box
they are linked to the same LAN network (192.168.1.0) with ip 192.168.1.1 and 192.168.1.2 and they can ping each other
my vpn is installed on the first instance, and through the VPN I can then ping all the machines but I cannot ping 192.168.1.2
although they are all on the same network
can someone enlight me ? how is this possible ?
thanks
-
And your pinging 192.168.1.2 from what IP when your connected via the vpn on pfsense 1?
What is the tunnel network, that you assign to your vpn client? Your clients on the network using 192.168.1.1 as gateway would be able to answer back no matter what IP it is.
But why would pfsense 2 talk to pfsense 1 to get to where?? And what are teh firewall rules on pfsense 2 btw? If your normally set for lan net that allow, why would the firewall even allow some vpn tunnel network from pfsense 1 to ping it?
-
Actualy I cant ping 192.168.1.2(pfsense local nic)
192.168.1.23 and 192.168.1.24 (web front ends)"And your pinging 192.168.1.2 from what IP when your connected via the vpn on pfsense 1?"
my local pc gets 192.168.2.2
"What is the tunnel network, that you assign to your vpn client?"
192.168.2.0/24
witch was the default one in the settings, I thought it is supposed to be a different subnet not to conflict with tthe local one
"Your clients on the network using 192.168.1.1 as gateway would be able to answer back no matter what IP it is."
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::7d8b:d819:a21a:5440%19
IPv4 Address. . . . . . . . . . . : 192.168.2.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :on my pc, openvpn client does not configure a gateway, dont know if it is supposed to be that way …
"But why would pfsense 2 talk to pfsense 1 to get to where?? And what are teh firewall rules on pfsense 2 btw? If your normally set for lan net that allow, why would the firewall even allow some vpn tunnel network from pfsense 1 to ping it?"
pfsense load balance a couple of machines(apache) and pfsense2 load balance other machines(lighthttpd)
but they are all on the same vlan/networkI just use pfsense 1 to vpn to that network...never said pfsense 1 should talk to pfsense 2,
If I take pfsense console I can ping the other pfsense
I just cant ping them through the VPN although they are on the same networkpfsense 2 has default fwall rules
also as I enabled split tuneling, I added :
push "route 192.168.1.0 255.255.255.0"
-
So if you attempt to access pfSense2 over VPN it will send response packets to its default upstream gateway instead of back to pfSense1.
You will have to add a static route to pfSense2 to direct packets meant to VPN network to pfSense1.
System > Routing
First add your pfSense1 LAN address as gateway here on LAN interface. Do not check "default gateway".
Then go on the static routes tab and add a route for your VPN tunnel network 192.168.2.0/24 and select the gateway you've added above. -
wonderfull
so from my pc I can ping 192.168.1.23 and 24 but not the gateway 192.168.1.2 (not really a prroblem so far)but why is html not passing through ?
I cant reach those web servers with firefox
pretty sure I have to add a rule in the fwall ? on both gateways ?
-
but why is html not passing through ?
I cant reach those web servers with firefox
You want to reach websites on 192.168.1.23 and 24 over VPN? Presumable by their public hostname?
To get this work, you need an internal DNS (split DNS) and push the DNS server to your VPN client or you can activate NAT reflection in the appropriate NAT rules. -
no, only via ip adress
there is no dns, I use static ip's and host files, my frontends are managed via vpn and load balanced via pfSense
-
To access them via internal IP shouldn't be a problem. You just need a firewall rule on VPN interface which allow this.
From routing aspect, if ping works to these web servers, web access should work also.If it doesn't enable logging and check the firewall logs if it is blocked by pfSense.
-
in firewall/rules/openvpn
for IPV4 I got a * * * * * rule created by openvpn wizard
I also tested ssh connections, it does not work
I tried adding a * * * * LAN rule as a test on both firewall, but with no luck
I dont see any entry in the logs concerning the ip I try to access
-
is the traffic in the firewall log blocked ? cos I added 2 rules LAN
source 192.168.2.0/24
destination 192.168.1.0/24and
source 192.168.1.0/24
destination 192.168.2.0/24now the entries concerning my http requests on 192.168.1.23 dont show up anymore in the log, but I still cannot access it via firefox
also something weird: in the logs, port 80 is the source port while it should be the destination port
-
anyone ?
please this is a serious issue and I really need help on this one
thanks
-
So what tells the filter log?
Post a screenshot, please.Also post your clients routing table.
-
bellow are my fwal rules, route print and filter log on second pfsense
as mentioned before it really seems odd that the port 80 is at the source and not the destination
on the first pfsense(VPN)
on the second pfsense
Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::7d8b:d819:a21a:5440%19 IPv4 Address. . . . . . . . . . . : 192.168.2.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : ***************.net Link-local IPv6 Address . . . . . : fe80::249d:c73d:286b:eac1%11 IPv4 Address. . . . . . . . . . . : 172.16.27.168 Subnet Mask . . . . . . . . . . . : 255.255.255.128 Default Gateway . . . . . . . . . : 172.16.27.254 Ethernet adapter VMware Network Adapter VMnet1: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::1813:2fe0:5bcb:1930%16 IPv4 Address. . . . . . . . . . . : 192.168.88.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter VMware Network Adapter VMnet8: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::f435:d6ac:24e4:15ab%17 IPv4 Address. . . . . . . . . . . : 192.168.29.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . :=========================================================================== Interface List 19...00 ff 28 05 3d 13 ......TAP-Windows Adapter V9 11...88 51 fb 40 a4 b3 ......Intel(R) 82579LM Gigabit Network Connection 16...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1 17...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8 1...........................Software Loopback Interface 1 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.16.27.254 172.16.27.168 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.16.27.128 255.255.255.128 On-link 172.16.27.168 266 172.16.27.168 255.255.255.255 On-link 172.16.27.168 266 172.16.27.255 255.255.255.255 On-link 172.16.27.168 266 192.168.1.0 255.255.255.0 192.168.2.1 192.168.2.2 20 192.168.2.0 255.255.255.0 On-link 192.168.2.2 276 192.168.2.2 255.255.255.255 On-link 192.168.2.2 276 192.168.2.255 255.255.255.255 On-link 192.168.2.2 276 192.168.29.0 255.255.255.0 On-link 192.168.29.1 276 192.168.29.1 255.255.255.255 On-link 192.168.29.1 276 192.168.29.255 255.255.255.255 On-link 192.168.29.1 276 192.168.88.0 255.255.255.0 On-link 192.168.88.1 276 192.168.88.1 255.255.255.255 On-link 192.168.88.1 276 192.168.88.255 255.255.255.255 On-link 192.168.88.1 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.2.2 276 224.0.0.0 240.0.0.0 On-link 192.168.88.1 276 224.0.0.0 240.0.0.0 On-link 192.168.29.1 276 224.0.0.0 240.0.0.0 On-link 172.16.27.168 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.2.2 276 255.255.255.255 255.255.255.255 On-link 192.168.88.1 276 255.255.255.255 255.255.255.255 On-link 192.168.29.1 276 255.255.255.255 255.255.255.255 On-link 172.16.27.168 266 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 172.16.27.254 Default =========================================================================== IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 19 276 fe80::/64 On-link 16 276 fe80::/64 On-link 17 276 fe80::/64 On-link 11 266 fe80::/64 On-link 16 276 fe80::1813:2fe0:5bcb:1930/128 On-link 11 266 fe80::249d:c73d:286b:eac1/128 On-link 19 276 fe80::7d8b:d819:a21a:5440/128 On-link 17 276 fe80::f435:d6ac:24e4:15ab/128 On-link 1 306 ff00::/8 On-link 19 276 ff00::/8 On-link 16 276 ff00::/8 On-link 17 276 ff00::/8 On-link 11 266 ff00::/8 On-link =========================================================================== Persistent Routes: Nonethe filter log on the second pfsense
apparently the adress I try to ping( 192.168.1.23) is comming back
-
Your firewall log is showing 192.168.1.23 trying to answer, but its going through your second pfsense so this traffic is out of state, so yeah it would be blocked.
So we are all clear what your doing.. The attached is your network? And what your trying to do.
What is the gateway for this server?
As I tried to explain before.. If your vpn user is coming in pfsense 1 and has a IP address of 192.168.2.x, for server to answer it will need to know to talk to pfsense 1 to talk to 192.168.2/? Or it will need to use pfsense 1 as its default gateway.
For vpn user to talk to pfsense 2, its lan rules will have to allow access from 192.168.2/? And it will need to know to get to back to 192.168.2.x it needs to talk to pfsense 1.
-
you told me to set a static route so 192.168.1.23 would reply vi vpn (192.168.1.1) instead of its default gateway (192.168.1.2)
I created that route, so the ping is working… but not other protocols, so is it not a firewall rule issue ? (shouldn't be since it's all local communications, even for the vpn)
maybe my setup is not right, but it looks pretty straightforward, am I missing something ?
apparently only ping modifies the usage of the static route
just found out in the doc, when using VPN, one should not use static routes but network definitions
https://doc.pfsense.org/index.php/Static_Routes
"Never add static routes for networks reachable via OpenVPN. Such routes are managed by OpenVPN itself using Remote Network definitions, not static routes."but it does not give more details…
-
The doc you mentioned is meant for VPN and static route on a unique node not on different ones.
However, yes, in your case the static route has to be set to each LAN host you want to reach to work properly. If these are only the mentioned two hosts this is not a big work.
-
Or outbound NAT on the 192.168.1.1 interface so connections from the VPN clients to LAN hosts masquerade as source IP 192.168.1.1. If you need to identify what OpenVPN client is making the connections you could use a range of IP addresses, VIPs, and 1:1 NAT.
-
sudo route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1
works like a charm
so apparently pfsense2 receives the packets returning from 192.168.1.23
and cannot send them to the pfsense1 although a lan to lan full allowing rule is in place
not nice but efficient :-)
also I use a config pusher so in case of more machines I can still push that rule (I guess, gonna check that out)thanks for your wonderfull support everyone