Site to Site - Not able to access client networks from server network - updated



  • Team,

    I searched the forums for a solution, did not find one hence posting this here.

    We have 3 pfsense deployed.
      - 10.0.10.0/24 - the VPN network.
      - 192.168.5.0/24 - the server (home network)
      - 192.168.4.0/24 - Client 1 network
      - 192.168.14.0/24 - Client 2 network.

    The configuration has been done, in accordance with pfsense book -  OpenVPN Example Site-to-Site SSL/TLS Network (Chapter 20.7 - Page 400)

    - VPN connection gets established - between all 3 networks.

    - Client (1 or 2)  firewall
          Access any other tcp/udp services on Server firewall - Yes
          Access any other tcp/udp services  to internal machines on server network - Yes
          As you can see, from the Client 1 machine - I CAN ssh into an internal IP address (192.168.5.206) of the SERVER VPN network (192.168.5.0/24)

    - Client (1 or 2) - network devices
          Access any other tcp/udp services to server firewall - No
          Access any other tcp/udp services to internal machines on server network - No

    - Server firewall
          Access any other tcp/udp services to client firewall - No
          Access any other tcp/udp services to internal machines on client network - No.

    Expectation of this design was All three networks should be able to ping  (or access any other tcp/udp services)  with all other devices on the three networks.

    What am I doing incorrect. ?

    Here are the screen shots


    1. Server side (192.168.5.1/24) - OpenVPN settings          

    2. Server side(192.168.5.1/24) - Cient Specific settings (for 192.168.14.x/24

    3. Server side rules - WAN

    4. Server side rules - OpenVPN

    5. Server Routes


    6. Client 1 (14.x) - VPN

    7. Client 1 (14.x) - Firewall rules - WAN

    8. Client 1 (14.x) - Firewall rules - VPN

    9. Client 1 (14.x) - Routes

    I have not attached the scfeenshots from Client 2 - since, the working/and the problems are similar.
    However, client 2 is connected on
    192.168.4.0/24

    This post has been modified to add screenshots.
    Alok




  • LAYER 8 Netgate

    @aloksinha2001:

    Firewall Rules
    Enabled TCP/UPD on OpenVPN
      - Client 1/2, Server

    Expectation of this design was All three networks should be able to ping (communicate) with all other devices on the three neworks.

    What am I doing incorrect. ?

    Alok

    Ping is ICMP, not TCP or UDP.



  • have the same problem.from vpn i'm not able to reach pfsense web config eather



  • @Derelict:

    @aloksinha2001:

    Firewall Rules
    Enabled TCP/UPD on OpenVPN
      - Client 1/2, Server

    Expectation of this design was All three networks should be able to ping (communicate) with all other devices on the three neworks.

    What am I doing incorrect. ?

    Alok

    Ping is ICMP, not TCP or UDP.

    You are correct - when I said ping, I meant access to any TCP/UDP services (AND Ping)

    1. To add to my information, ICMP is also enabled on all three networks.
    2. Please read Ping as (Ping and/or Any connection)

    Alok


  • LAYER 8 Netgate

    This is an internet forum. We can only go by what you tell us. Maybe you should post some screen shots instead of trying to communicate what you think you have done.

    When everything is set correctly and it still doesn't work it is usually:

    • Local firewall on target host does not permit connections from foreign networks

    • Target host does not have pfSense set as its default gateway



  • @Derelict:

    This is an internet forum. We can only go by what you tell us. Maybe you should post some screen shots instead of trying to communicate what you think you have done.

    When everything is set correctly and it still doesn't work it is usually:

    • Local firewall on target host does not permit connections from foreign networks

    • Target host does not have pfSense set as its default gateway

    Fair point.

    Added screenshots - atleast the relevant ones…

    Alok


  • LAYER 8 Netgate

    Why are you defining 192.168.4.0/24 and 192.168.14.0/24 as both local and a remote networks. They are local or remote, not both.

    I would back off and work one site at a time, thinking carefully about the design you want and adding another endpoint only after you get the previous working.



  • @Derelict:

    Why are you defining 192.168.4.0/24 and 192.168.14.0/24 as both local and a remote networks. They are local or remote, not both.

    I would back off and work one site at a time, thinking carefully about the design you want and adding another endpoint only after you get the previous working.

    Coz the pfsense book said so.

    Also, there was a logic - 192.168.4.0/24 is local for the clients on the 192.168.14.0/24 network, as they need to route this into

    Having made that comment, based on your direction - I have made changes and tested. No change in the issue. Have returned it back to as is shown in this


  • LAYER 8 Netgate

    • Local firewall on target host does not permit connections from foreign networks

    • Target host does not have pfSense set as its default gateway



  • @Derelict:

    • Local firewall on target host does not permit connections from foreign networks

    It actually does, the G8AuthServer is an alias for all the IP addresses from which I am coming in.

    And this is enabled on Server….

    and is enabled on Client….

    • Target host does not have pfSense set as its default gateway

    You may be on to something here.

    However, see these - This is on the server firewall

    This is on the client firewall - [ Point to note - from the client network, we CAN access all the server network resources ] It is the reverse (from server network to client network) resources, we cannot access.


  • LAYER 8 Netgate

    No. That "software" firewall on the host on the local LAN that the remote hosts are trying to contact. Windows firewall is notorious for making people think their VPN is not working when it is working just fine.

    Packet capture on the local LAN. Are pings going out LAN but nothing in response?



  • @Derelict:

    No. That "software" firewall on the host on the local LAN that the remote hosts are trying to contact. Windows firewall is notorious for making people think their VPN is not working when it is working just fine.

    Packet capture on the local LAN. Are pings going out LAN but nothing in response?

    We do NOT have any (almost 0) windows resources, most of it is Linux. We have these resources open and available from all other points. Hence the local firewall on the target machine is NOT the case.

    I am sending a ping request to 192.168.14.1 (the client firewall) from 192.168.5.206 (a machine inside my server network)

    Here is the packet capture
    From Server network device (192.168.6.206) to Client Firewall (192.168.14.1)  - This is on the LAN interface.

    From Server network device (192.168.6.206) to Client Firewall (192.168.14.1)  - This is on the OpenVPN interface

    On the client firewall - no packets are captured for any type of interface or filters of this host

    Additional information.
    I do continue to get these errors in the route log



  • Bump ! Sorry team for bumping this up…

    But, do need a solution for this.
    Will appreciate any help/pointers/direction of investigation.

    Alok


Log in to reply