Site to site problem
-
Hello,
I've setup a site to site openvpn.
PfSense 2.3.1
Main office has a static IP
Main office ip range 192.168.175.0/24
Remote office has a static ip
Remote office ip range 192.168.185.0/24Setup the server on the main office with the following settings
prot: UDP
port: 1195
Shared key
IPv4 tunnel Network: 192.168.177.0/24
IPv4 Remote Network: 192.168.185.0/24Setup client on remote site with the following settings
prot: UDP
Server host : static ip from main office
port: 1195
Shared key
IPv4 tunnel network: 192.168.177.0/24
IPv4 Remote Network: 192.168.175.0/24Remote site can connect to ressources on Main office (ping, smb, ftp…)
Main office cannot ping or connect to remote office's networkOpened port 1195 in the openvpn rules on both sides
What am i missing here?
Thanks
-
A route (or lack thereof) on the remote office side? Is pfSense the default gateway for machines in the remote office? If not, does the actual default gateway have a route pointing traffic for 192.168.175.0/24 over to your pfSense box? Make sure to check the resources in the remote office. Sometimes people get creative with "security" and don't assign a default gateway to servers/devices that shouldn't be accessing the Internet.
I would also do a packet capture on the remote office pfSense to verify that the packets from the main office are indeed getting that far. Then a packet capture on a resource as you attempt to access it from the main office.
-
You don't open the OpenVPN port on the OpenVPN rules. You pass the traffic you want to allow from the Remote Networks coming in through the tunnel.
You need to pass the UDP/1195 on the Server's WAN so the client can connect to the server to establish the tunnel. This has obviously been done or the tunnel would not be coming up.
You might want to start with rules like this on both sides.
If you do that and still can't contact hosts on one side, it is probably the local firewall on the target host (ie Windows Firewall).
![Screen Shot 2016-07-15 at 12.02.23 AM.png](/public/imported_attachments/1/Screen Shot 2016-07-15 at 12.02.23 AM.png)
![Screen Shot 2016-07-15 at 12.02.23 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-07-15 at 12.02.23 AM.png_thumb) -
Now i'm getting a bit further.
Remote office can access head office's ressources except for the freepbx IAX2 trunk
Head office can access some ressources. Here's what's still not working or working.
Head office can connect to remote office's pfsense gui 192.168.185.1
Head office can't connect to remote office's freepbx (185.8) or openMediaVault (185.49)
Remote office can connect to head office's freepbx and pfsense gui.I can see in the fw logs that my pc 192.168.175.50:52764 pass Freepbx webgui 192.168.185.80:80
Thanks
![Remote Lan rules.png](/public/imported_attachments/1/Remote Lan rules.png)
![Remote Lan rules.png_thumb](/public/imported_attachments/1/Remote Lan rules.png_thumb)
![Remote openvpn rules.png](/public/imported_attachments/1/Remote openvpn rules.png)
![Remote openvpn rules.png_thumb](/public/imported_attachments/1/Remote openvpn rules.png_thumb) -
I've ran Wireshark on my system and the "expert" information shows reassembly error protocol tcp
Attached some screenshots
Also, packet capture between the two freepbx shows bad checksum only from remote site to head office.
192.168.185.8.4569 > 192.168.175.21.4569: [bad udp cksum 0xe996 -> 0xb1ab!] UDP, length 14
192.168.175.21.4569 > 192.168.185.8.4569: [udp sum ok] UDP, length 14
![Wireshark capture.png](/public/imported_attachments/1/Wireshark capture.png)
![Wireshark capture.png_thumb](/public/imported_attachments/1/Wireshark capture.png_thumb)