Local computer LAN ARP problem

zhjy23212 · Sep 12, 2016, 5:06 PM

Hi everyone, I just started using pfSense very recently. I have three servers with virtual machines. I now use a VPN to access them. Each server has a pfsense router, address 192.168.1.1, 192.168.2.1, 192.168.3.1, and I have service node virtual machine, static ip 192.168.x.201.

The VPN server works for bridging, I can log in and ping the router on each one. But if I login in VPN on server1, I cannot reach virtual machine on server1, instead I can reach another two on other servers. Same on other VPN on other servers.

I checked the ARP table on router, the MAC address and IP address are there, but on my own computer, no ARP information about the service node.

Any idea about this?
Thanks in advance.

heper · Sep 12, 2016, 5:09 PM

please draw a schematic. (don't try to use ascii-art)

why do you want/need 3 seperate pfsense instances ? looks like overcomplicating, something easy

zhjy23212 · Sep 12, 2016, 5:51 PM

@heper:

please draw a schematic. (don't try to use ascii-art)

why do you want/need 3 seperate pfsense instances ? looks like overcomplicating, something easy

Sorry about my terrible drawing.

The schematic is like this.

I use static routing for addresses other than local server, so VPN client can access all three host, except the local service node.

johnpoz · Sep 12, 2016, 6:26 PM

Ok I understand why you might want to run pfsense on each esxi host. But what is the point of the vpn connection? And where is that coming from? Is that coming from somewhere out on the internet past the switch that I guess you have a common network that connects all your pfsense vm's wan interfaces too?

So this becomes a transit network. And now you just need to route between your pfsense machines and allow for the correct filewall rules to allow access.. Not understanding the point of a vpn that is a vm client on esxi host 1?

What is this network that your pfsense wan interfaces are connected too? Is this public ip space? Just open to the internet or is this also rfc1918 space? Where is the vmkern for these esxi hosts, also on this same network?

zhjy23212 · Sep 12, 2016, 6:45 PM

@johnpoz:

Ok I understand why you might want to run pfsense on each esxi host. But what is the point of the vpn connection? And where is that coming from? Is that coming from somewhere out on the internet past the switch that I guess you have a common network that connects all your pfsense vm's wan interfaces too?

So this becomes a transit network. And now you just need to route between your pfsense machines and allow for the correct filewall rules to allow access.. Not understanding the point of a vpn that is a vm client on esxi host 1?

What is this network that your pfsense wan interfaces are connected too? Is this public ip space? Just open to the internet or is this also rfc1918 space? Where is the vmkern for these esxi hosts, also on this same network?

Thanks for your reply. The vpn connection is from the LAN of ESXi host, say pfsense1 wan address is 10.78.0.250, pfsense2 wan address is 10.78.0.251, my PC address is 10.78.0.211. Out there is another physical router in office.

I use VPN connection is because I set firewall rules that block wan address from accessing LAN network. In the future I have to setup serval more virtual machines in each host.

Nothing related to firewall, I tried a VPN connection on host2, it can ping all the nodes except (B) which in the same LAN.

johnpoz · Sep 12, 2016, 7:03 PM

Well if your setup works for esxi1 and esxi2, what is different on esxi3?? I don't understand your goal here, but this is just plain common sense.

Is this PC doing the vpn actually on a different network or its really on your 10.78.0/24 ??

I don't get the point of this setup to be honest.. If your on rfc1918 space why is are you pfsense natting? Are they? Are these hosts running enterprise licensing where you can do vmotion between them, etc. or are they just stand alone esxi free hosts?

Not getting the point of the vpn other than making your life difficult?? Why would you need to encrypt traffic over this 10.78.0 network? If you want to firewall your traffic on each esxi host to your normal network that could be done with 1 vm pfsense box or appliance in your real world network, etc.

zhjy23212 · Sep 12, 2016, 9:38 PM

@johnpoz:

Well if your setup works for esxi1 and esxi2, what is different on esxi3?? I don't understand your goal here, but this is just plain common sense.

Is this PC doing the vpn actually on a different network or its really on your 10.78.0/24 ??

I don't get the point of this setup to be honest.. If your on rfc1918 space why is are you pfsense natting? Are they? Are these hosts running enterprise licensing where you can do vmotion between them, etc. or are they just stand alone esxi free hosts?

Not getting the point of the vpn other than making your life difficult?? Why would you need to encrypt traffic over this 10.78.0 network? If you want to firewall your traffic on each esxi host to your normal network that could be done with 1 vm pfsense box or appliance in your real world network, etc.

Thanks again for your reply. Maybe my description made things complicated. My apologies.
Simply put, my computer in network 10.78.0.0/24, a server with virtual pfsense router 10.78.0.250, with the VPN connection, I can connect every thing(8.8.8.8, 192.168.1.1) except the node within whose address is 192.168.1.201, VPN client in that subnet is 192.168.1.10, I cannot ping that, tracert return nothing.

The cause I found is ARP, on router ARP table 192.168.1.201 is associated with a MAC address, on my own computer ARP, no record about the address or MAC.

Do you have any idea about this problem? Thanks!

zhjy23212 · Sep 12, 2016, 10:27 PM

finally found solution for the ARP problem, nothing with pfSesne but the vmware.

Simpy set promiscuous mode on for vSwitch will solve this.

Reference : http://unix.stackexchange.com/questions/23004/openvpn-bridge-cant-access-machines-on-local-network