Cannot reach certain IPs on remote LAN across OpenVPN site-to-site connection
-
This is a strange one that I can't get my head around.
We have a site-to-site OpenVPN set-up something like this:Site A:192.168.0.0/24 (OpenVPN Server) –---> 10.0.0.9/24 (Tunnel Network) -------Site B:192.168.3.0/24 (OpenVPN Client)
From Site B, I can reach the following IPs on Site A:
-
192.168.0.1 - (pfSense box)
-
192.168.0.3 - (server)
However, I cannot reach 192.168.0.47 (which is a desktop machine on Site A) from Site B
When I'm positioned on Site A I can reach the same machine just fine.What could I possibly have in my set-up that allows me to reach certain IPs in Site A from Site B - but not all of them?
-
-
Some further information on this.
Running a tracert from Site B to a reachable machine in Site A yields the following:
$>tracert 192.168.0.1 Tracing route to 192.168.0.1 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms pfSense-jm.archway.local [192.168.3.1] 2 71 ms 54 ms 62 ms 192.168.0.1
Running tracert against the unreachable IP yields the following:
$>tracert 192.168.0.47 Tracing route to archway-pc05.archway.local [192.168.0.47] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms pfSense-jm.archway.local [192.168.3.1] 2 * 64 ms 52 ms 10.0.9.1 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out.
Note how it's heading out the Tunnel network. Would this be expected behavior?
-
Packet Capture is your friend. Have you tried doing a packet capture on the LAN interface of the firewall on Site A as you try to do a traceroute to 192.168.0.47 ?
Is .47 reachable from the firewall in the same site? You might double check your subnet mask on both devices to make sure they are /24 (255.255.255.0).
Is the firewall on on this particular workstation? Can you turn it off and test again?
-
If the .47 device is a Windows client then it probably has its own firewall settings that respond to ping from the local subnet but not to remote pings from outside the subnet.