Site to Site - Not able to access client networks from server network - updated

aloksinha2001 · Jul 5, 2016, 7:04 AM

Team,

I searched the forums for a solution, did not find one hence posting this here.

We have 3 pfsense deployed.
- 10.0.10.0/24 - the VPN network.
- 192.168.5.0/24 - the server (home network)
- 192.168.4.0/24 - Client 1 network
- 192.168.14.0/24 - Client 2 network.

The configuration has been done, in accordance with pfsense book - OpenVPN Example Site-to-Site SSL/TLS Network (Chapter 20.7 - Page 400)

- VPN connection gets established - between all 3 networks.

- Client (1 or 2) firewall
Access any other tcp/udp services on Server firewall - Yes
Access any other tcp/udp services to internal machines on server network - Yes
As you can see, from the Client 1 machine - I CAN ssh into an internal IP address (192.168.5.206) of the SERVER VPN network (192.168.5.0/24)

- Client (1 or 2) - network devices
Access any other tcp/udp services to server firewall - No
Access any other tcp/udp services to internal machines on server network - No

- Server firewall
Access any other tcp/udp services to client firewall - No
Access any other tcp/udp services to internal machines on client network - No.

Expectation of this design was All three networks should be able to ping (or access any other tcp/udp services) with all other devices on the three networks.

What am I doing incorrect. ?

Here are the screen shots

1. Server side (192.168.5.1/24) - OpenVPN settings

2. Server side(192.168.5.1/24) - Cient Specific settings (for 192.168.14.x/24

3. Server side rules - WAN

4. Server side rules - OpenVPN

5. Server Routes

6. Client 1 (14.x) - VPN

7. Client 1 (14.x) - Firewall rules - WAN

8. Client 1 (14.x) - Firewall rules - VPN

9. Client 1 (14.x) - Routes

I have not attached the scfeenshots from Client 2 - since, the working/and the problems are similar.
However, client 2 is connected on
192.168.4.0/24

This post has been modified to add screenshots.
Alok

Derelict · Jul 4, 2016, 5:03 PM

@aloksinha2001:

Firewall Rules
Enabled TCP/UPD on OpenVPN
- Client 1/2, Server

Expectation of this design was All three networks should be able to ping (communicate) with all other devices on the three neworks.

What am I doing incorrect. ?

Alok

Ping is ICMP, not TCP or UDP.

nikkon · Jul 4, 2016, 6:53 PM

have the same problem.from vpn i'm not able to reach pfsense web config eather

aloksinha2001 · Jul 4, 2016, 8:35 PM

@Derelict:

@aloksinha2001:

Firewall Rules
Enabled TCP/UPD on OpenVPN
- Client 1/2, Server

Expectation of this design was All three networks should be able to ping (communicate) with all other devices on the three neworks.

What am I doing incorrect. ?

Alok

Ping is ICMP, not TCP or UDP.

You are correct - when I said ping, I meant access to any TCP/UDP services (AND Ping)

1. To add to my information, ICMP is also enabled on all three networks.
2. Please read Ping as (Ping and/or Any connection)

Alok

Derelict · Jul 5, 2016, 5:13 AM

This is an internet forum. We can only go by what you tell us. Maybe you should post some screen shots instead of trying to communicate what you think you have done.

When everything is set correctly and it still doesn't work it is usually:

Local firewall on target host does not permit connections from foreign networks
Target host does not have pfSense set as its default gateway

aloksinha2001 · Jul 5, 2016, 7:05 AM

@Derelict:

This is an internet forum. We can only go by what you tell us. Maybe you should post some screen shots instead of trying to communicate what you think you have done.

When everything is set correctly and it still doesn't work it is usually:

Local firewall on target host does not permit connections from foreign networks

Target host does not have pfSense set as its default gateway

Fair point.

Added screenshots - atleast the relevant ones…

Alok

Derelict · Jul 5, 2016, 7:20 AM

Why are you defining 192.168.4.0/24 and 192.168.14.0/24 as both local and a remote networks. They are local or remote, not both.

I would back off and work one site at a time, thinking carefully about the design you want and adding another endpoint only after you get the previous working.

aloksinha2001 · Jul 5, 2016, 7:31 AM

@Derelict:

Why are you defining 192.168.4.0/24 and 192.168.14.0/24 as both local and a remote networks. They are local or remote, not both.

I would back off and work one site at a time, thinking carefully about the design you want and adding another endpoint only after you get the previous working.

Coz the pfsense book said so.

Also, there was a logic - 192.168.4.0/24 is local for the clients on the 192.168.14.0/24 network, as they need to route this into

Having made that comment, based on your direction - I have made changes and tested. No change in the issue. Have returned it back to as is shown in this

Derelict · Jul 5, 2016, 8:04 AM

Local firewall on target host does not permit connections from foreign networks
Target host does not have pfSense set as its default gateway

aloksinha2001 · Jul 5, 2016, 8:27 AM

@Derelict:

Local firewall on target host does not permit connections from foreign networks

It actually does, the G8AuthServer is an alias for all the IP addresses from which I am coming in.

And this is enabled on Server….

and is enabled on Client….

Target host does not have pfSense set as its default gateway

You may be on to something here.

However, see these - This is on the server firewall

This is on the client firewall - [ Point to note - from the client network, we CAN access all the server network resources ] It is the reverse (from server network to client network) resources, we cannot access.

Derelict · Jul 5, 2016, 8:26 AM

No. That "software" firewall on the host on the local LAN that the remote hosts are trying to contact. Windows firewall is notorious for making people think their VPN is not working when it is working just fine.

Packet capture on the local LAN. Are pings going out LAN but nothing in response?

aloksinha2001 · Jul 5, 2016, 8:48 AM

@Derelict:

No. That "software" firewall on the host on the local LAN that the remote hosts are trying to contact. Windows firewall is notorious for making people think their VPN is not working when it is working just fine.

Packet capture on the local LAN. Are pings going out LAN but nothing in response?

We do NOT have any (almost 0) windows resources, most of it is Linux. We have these resources open and available from all other points. Hence the local firewall on the target machine is NOT the case.

I am sending a ping request to 192.168.14.1 (the client firewall) from 192.168.5.206 (a machine inside my server network)

Here is the packet capture
From Server network device (192.168.6.206) to Client Firewall (192.168.14.1) - This is on the LAN interface.

From Server network device (192.168.6.206) to Client Firewall (192.168.14.1) - This is on the OpenVPN interface

On the client firewall - no packets are captured for any type of interface or filters of this host

Additional information.
I do continue to get these errors in the route log

aloksinha2001 · Jul 6, 2016, 1:45 PM

Bump ! Sorry team for bumping this up…

But, do need a solution for this.
Will appreciate any help/pointers/direction of investigation.

Alok