Cant Ping\Access anything on Local Network apart from the gateway.



  • Hi There,

    I'm currently looking at a setup that has two Interfaces\WAN connections. One of the WAN Interfaces seems to be working with OpenVPN just fine, but the other isn't working correctly.  This is what I have currently for the non working interface.

    Tunnel Network is 10.20.2.0/24
    LAN is 10.20.0.0/24

    When i connect my client (running as an Administrator as using Windows OS) it seems to connect fine and i get an address of 10.20.2.6.  However i can not access\ping any local devices on the 10.20.0.0 LAN. I can  however  ping and access the psense gateway\firewall which is on 10.20.0.1.

    From the LAN i cant ping the VPN client. However from the gateway\firewall i can do a successfully ping to the VPN client.

    As you will no doubt tell from the above description, My knowledge of networks is limited and i'm a Psense newbie, but something is telling me i may need to do some port forwarding.  (From looking at the working OPENVPN setup on the other interface, i cant see anything obvious that i should be changing and the openvpn setup seems identical apart from the tunnel network address)

    Any help would be greatly appreciated.

    Thanks



  • Check if the routes are set correctly at the client? Run "route print" at the Windows command line while the VPN is established and post the output, please.



  • Thanks Viragomann,

    Here is the result of my route print.

    Many thanks for your time.

    notworking_route.txt
    [working route.txt](/public/imported_attachments/1/working route.txt)



  • I think the "IPv4 Local Networks" must be set wrong at server. It seems you have 10.20.0.0/16 there for your LAN instead of 10.20.0.0/24, so it includes your tunnel subnet at the failing setup, but not at the working one.



  • Sorry Viragomann

    but can you point me in the direction where I would check this? is it a forwarding rule?

    many thanks



  • just another question could I not just change the tunnel network to another address instead?



  • No, that's in the OpenVPN server settings. Go down to "IPv4 Local Networks"  and check your entry.



  • @viragomann:

    No, that's in the OpenVPN server settings. Go down to "IPv4 Local Networks"  and check your entry.

    Yes, any tunnel subnet beyond 10.20.0.0/16 (10.20.0.0 - 10.20.255.255) should work also.



  • Please see attached. I do have redirect gate way enabled. But when unchecking that I can see the ipv4 local networks to be 10.20.0.0/24?




  • Yeah, you have redirect gateway, so there are no further route needed.
    But you have strange routes at your client that are caused by the OpenVPN setup.

    Do you have something special in the "Custom options" in the server settings or client specific overrides?



  • I will check them out, but i don't believe i have any custom options set.  Is there a way i can generate the OpenVPN server config and post it?



  • Just make screenshots and add it to your post as attachments. Don't use spaces in the file names.



  • Just checked I have no client specific overrides and I have nothing set in advanced configuration.

    Re:
    Do you have something special in the "Custom options" in the server ?  Where would I find custom options?



  • In the server config right down at the bottom.

    It would be more meaningful to post screenshots here. It's easy.



  • viragomann please find attached server screenshots

    ![SERVER CONFIG 1.png](/public/imported_attachments/1/SERVER CONFIG 1.png)
    ![SERVER CONFIG 1.png_thumb](/public/imported_attachments/1/SERVER CONFIG 1.png_thumb)
    ![SERVER CONFIG 2.png](/public/imported_attachments/1/SERVER CONFIG 2.png)
    ![SERVER CONFIG 2.png_thumb](/public/imported_attachments/1/SERVER CONFIG 2.png_thumb)
    ![SERVER CONFIG 3.png](/public/imported_attachments/1/SERVER CONFIG 3.png)
    ![SERVER CONFIG 3.png_thumb](/public/imported_attachments/1/SERVER CONFIG 3.png_thumb)
    ![SERVER CONFIG 4.png](/public/imported_attachments/1/SERVER CONFIG 4.png)
    ![SERVER CONFIG 4.png_thumb](/public/imported_attachments/1/SERVER CONFIG 4.png_thumb)



  • Everything looks fine in the setup. So I've no Idea where the strange routes come from.
    Maybe they are not from the VPN setup. Make a route print on your Windows while no VPN is connected.



  • Hi - I have attached 3 route prints.  One without any VPN as requested. One with the working VPN for the other WAN link, and one for the non working wan link.

    Route_with_no_connection.txt
    Route_with_not_working_WANVPNinterface.txt
    Route_with_working_WANVPNinterface.txt



  • Obviously the strange route is caused by the VPN connection.

    10.20.0.0      255.255.0.0        10.20.0.1        10.20.2.6     31
    

    But your config looks well. So no idea why.

    So try to change the VPN tunnel subnet to 10.23.0.0/24 or any other outside of 10.20.0.0/16.



  • Ok so I've changed the tunnel to what you suggested and I now have access to both the local network and gateway https://forum.pfsense.org/Smileys/default/grin.gif

    However I know cant access the internet? getting closer lol



  • For accessing the internet over VPN it's needed to add an outbound NAT rule for each VPN tunnel subnet. Firewall > NAT > Outbound

    By default, pfsense does this automatically if your outbound NAT is set to automatic or hybrid rule generation. But if you change the tunnel that could fail.



  • Thanks very much for all your help, I really appreciate it. Its drove me nuts this problem for days.

    I added the attached NAT Outbound rule and all is working.

    Out of interest why do you think the 10.20.2.0 tunnel wasn't working.  I had also already tried changing the address to be 10.20.0.0 which also didn't work.  I'm not the best when it comes to networks!

    Thanks again.




  • Fine that everything is working at last.

    I mentioned the problem above. Your client gets a route pushed from the VPN server that directs the subnet 10.20.0.0/16 to 10.20.0.1. I don't know, where this comes from and you get it on both setup, the working and the not working one. This subnet includes the tunnel subnet (10.20.2.0/24) which you have used before. So your access to the VPN server was miss-routed.
    The other tunnel subnet was outside of 10.20.0.0/16, so it worked.



  • Thanks again for all your help.