• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Site to Site - Not able to access client networks from server network - updated

Scheduled Pinned Locked Moved OpenVPN
13 Posts 3 Posters 2.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    aloksinha2001
    last edited by Jul 5, 2016, 7:04 AM Jul 4, 2016, 4:21 PM

    Team,

    I searched the forums for a solution, did not find one hence posting this here.

    We have 3 pfsense deployed.
      - 10.0.10.0/24 - the VPN network.
      - 192.168.5.0/24 - the server (home network)
      - 192.168.4.0/24 - Client 1 network
      - 192.168.14.0/24 - Client 2 network.

    The configuration has been done, in accordance with pfsense book -  OpenVPN Example Site-to-Site SSL/TLS Network (Chapter 20.7 - Page 400)

    - VPN connection gets established - between all 3 networks.

    - Client (1 or 2)  firewall
          Access any other tcp/udp services on Server firewall - Yes
          Access any other tcp/udp services  to internal machines on server network - Yes
          As you can see, from the Client 1 machine - I CAN ssh into an internal IP address (192.168.5.206) of the SERVER VPN network (192.168.5.0/24)

    - Client (1 or 2) - network devices
          Access any other tcp/udp services to server firewall - No
          Access any other tcp/udp services to internal machines on server network - No

    - Server firewall
          Access any other tcp/udp services to client firewall - No
          Access any other tcp/udp services to internal machines on client network - No.

    Expectation of this design was All three networks should be able to ping  (or access any other tcp/udp services)  with all other devices on the three networks.

    What am I doing incorrect. ?

    Here are the screen shots


    1. Server side (192.168.5.1/24) - OpenVPN settings          

    2. Server side(192.168.5.1/24) - Cient Specific settings (for 192.168.14.x/24

    3. Server side rules - WAN

    4. Server side rules - OpenVPN

    5. Server Routes


    6. Client 1 (14.x) - VPN

    7. Client 1 (14.x) - Firewall rules - WAN

    8. Client 1 (14.x) - Firewall rules - VPN

    9. Client 1 (14.x) - Routes

    I have not attached the scfeenshots from Client 2 - since, the working/and the problems are similar.
    However, client 2 is connected on
    192.168.4.0/24

    This post has been modified to add screenshots.
    Alok
    Client.png
    Client.png_thumb
    Server.png
    Server.png_thumb

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Jul 4, 2016, 5:03 PM

      @aloksinha2001:

      Firewall Rules
      Enabled TCP/UPD on OpenVPN
        - Client 1/2, Server

      Expectation of this design was All three networks should be able to ping (communicate) with all other devices on the three neworks.

      What am I doing incorrect. ?

      Alok

      Ping is ICMP, not TCP or UDP.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • N
        nikkon
        last edited by Jul 4, 2016, 6:53 PM

        have the same problem.from vpn i'm not able to reach pfsense web config eather

        pfsense 2.3.4 on Supermicro A1SRi-2758F + 8GB ECC + SSD

        Happy PfSense user :)

        1 Reply Last reply Reply Quote 0
        • A
          aloksinha2001
          last edited by Jul 4, 2016, 8:35 PM

          @Derelict:

          @aloksinha2001:

          Firewall Rules
          Enabled TCP/UPD on OpenVPN
            - Client 1/2, Server

          Expectation of this design was All three networks should be able to ping (communicate) with all other devices on the three neworks.

          What am I doing incorrect. ?

          Alok

          Ping is ICMP, not TCP or UDP.

          You are correct - when I said ping, I meant access to any TCP/UDP services (AND Ping)

          1. To add to my information, ICMP is also enabled on all three networks.
          2. Please read Ping as (Ping and/or Any connection)

          Alok

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Jul 5, 2016, 5:13 AM

            This is an internet forum. We can only go by what you tell us. Maybe you should post some screen shots instead of trying to communicate what you think you have done.

            When everything is set correctly and it still doesn't work it is usually:

            • Local firewall on target host does not permit connections from foreign networks

            • Target host does not have pfSense set as its default gateway

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • A
              aloksinha2001
              last edited by Jul 5, 2016, 7:05 AM

              @Derelict:

              This is an internet forum. We can only go by what you tell us. Maybe you should post some screen shots instead of trying to communicate what you think you have done.

              When everything is set correctly and it still doesn't work it is usually:

              • Local firewall on target host does not permit connections from foreign networks

              • Target host does not have pfSense set as its default gateway

              Fair point.

              Added screenshots - atleast the relevant ones…

              Alok

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Jul 5, 2016, 7:20 AM

                Why are you defining 192.168.4.0/24 and 192.168.14.0/24 as both local and a remote networks. They are local or remote, not both.

                I would back off and work one site at a time, thinking carefully about the design you want and adding another endpoint only after you get the previous working.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • A
                  aloksinha2001
                  last edited by Jul 5, 2016, 7:31 AM

                  @Derelict:

                  Why are you defining 192.168.4.0/24 and 192.168.14.0/24 as both local and a remote networks. They are local or remote, not both.

                  I would back off and work one site at a time, thinking carefully about the design you want and adding another endpoint only after you get the previous working.

                  Coz the pfsense book said so.

                  Also, there was a logic - 192.168.4.0/24 is local for the clients on the 192.168.14.0/24 network, as they need to route this into

                  Having made that comment, based on your direction - I have made changes and tested. No change in the issue. Have returned it back to as is shown in this

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Jul 5, 2016, 8:04 AM

                    • Local firewall on target host does not permit connections from foreign networks

                    • Target host does not have pfSense set as its default gateway

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • A
                      aloksinha2001
                      last edited by Jul 5, 2016, 8:27 AM Jul 5, 2016, 8:23 AM

                      @Derelict:

                      • Local firewall on target host does not permit connections from foreign networks

                      It actually does, the G8AuthServer is an alias for all the IP addresses from which I am coming in.

                      And this is enabled on Server….

                      and is enabled on Client….

                      • Target host does not have pfSense set as its default gateway

                      You may be on to something here.

                      However, see these - This is on the server firewall

                      This is on the client firewall - [ Point to note - from the client network, we CAN access all the server network resources ] It is the reverse (from server network to client network) resources, we cannot access.

                      1 Reply Last reply Reply Quote 0
                      • D
                        Derelict LAYER 8 Netgate
                        last edited by Jul 5, 2016, 8:26 AM

                        No. That "software" firewall on the host on the local LAN that the remote hosts are trying to contact. Windows firewall is notorious for making people think their VPN is not working when it is working just fine.

                        Packet capture on the local LAN. Are pings going out LAN but nothing in response?

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • A
                          aloksinha2001
                          last edited by Jul 5, 2016, 8:48 AM

                          @Derelict:

                          No. That "software" firewall on the host on the local LAN that the remote hosts are trying to contact. Windows firewall is notorious for making people think their VPN is not working when it is working just fine.

                          Packet capture on the local LAN. Are pings going out LAN but nothing in response?

                          We do NOT have any (almost 0) windows resources, most of it is Linux. We have these resources open and available from all other points. Hence the local firewall on the target machine is NOT the case.

                          I am sending a ping request to 192.168.14.1 (the client firewall) from 192.168.5.206 (a machine inside my server network)

                          Here is the packet capture
                          From Server network device (192.168.6.206) to Client Firewall (192.168.14.1)  - This is on the LAN interface.

                          From Server network device (192.168.6.206) to Client Firewall (192.168.14.1)  - This is on the OpenVPN interface

                          On the client firewall - no packets are captured for any type of interface or filters of this host

                          Additional information.
                          I do continue to get these errors in the route log

                          1 Reply Last reply Reply Quote 0
                          • A
                            aloksinha2001
                            last edited by Jul 6, 2016, 1:45 PM

                            Bump ! Sorry team for bumping this up…

                            But, do need a solution for this.
                            Will appreciate any help/pointers/direction of investigation.

                            Alok

                            1 Reply Last reply Reply Quote 0
                            13 out of 13
                            • First post
                              13/13
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received