Site-to-Site VPN cannot access LAN behind PFsense



  • Hi All,

    I am new to PFsense; Have deployed a VM in our DC, and have purchase a Micro-firewall SG-1000.
    I have one public IP address, created a WAN interface and assigned that IP and LAN interface.
    for SG-1000 (which is going to act as client); also created a WAN and LAN interface, but no public IP for

    So 2 subnets; 1 behind the VM and 1 behind the Micro-firewall

    I then followed this guide; https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1

    I see that the OpenVpn is established on both ends, (Status > OPenVpn)

    From the SG-1000, (Diagnostics> Ping), I can Ping my Server which is on the remote LAN, but I can't PING from my laptop connected to SG-1000.

    Do we require any additional configuration?

    Thank  you  :)



  • Have you set both the local network and the remote network on server and the remote network on the client?
    This is necessary for correct routing.

    Are both pfSense the default gateways in the network behind them?



  • I don't think I have, where is that config?

    Yes my PFsense is default gateway for the Client laptop and for the Servers at both sites.



  • In the server settings (VPN > OpenVPN > Servers > your server) there is a box "IPv4 Local network(s)" and "IPv6 Local network(s)". Here you have to enter the local (server side) subnet which should be reachable over vpn. Also the is a box for remote networks, where you have to enter the clients LAN you want to access via vpn.
    In the client setting there are boxes for IPv4 and IPv6 remote networks. Here you have to enter the server sides LAN.



  • Server side; Sorry, but there is no such box. (OpenVpn>Servers)

    There is only tunnel and remote network, no field to intput "local network"

    (not sure if it matters but note this is done through "shared key"/tun/Wan interface)

    Client side; Similar issue (OpenVpn>Clients)

    (only Tunnel network and remote network no where to input "local network)

    ![PfSsense Openvpn Server.JPG](/public/imported_attachments/1/PfSsense Openvpn Server.JPG)
    ![PfSsense Openvpn Server.JPG_thumb](/public/imported_attachments/1/PfSsense Openvpn Server.JPG_thumb)



  • I see. So it's a "Shared Key site-to-site" server. This setup follows different rules than the default SSL/TLS server, which I'm not familiar.



  • LinxS,

    Just make sure you put IP subnet of both sites into "IPv4 Remote network" fields (on both site), that I think you are done already. What you need is to pay attention to firewall rule at both sites, whether it allow to ping each other or not.



  • is this issue resolved? i think im having the same issue.
    i cant ping any in the client side when im in server side LAN but i can ping server side when im in Client.
    im using pfsense  as openvpn server and ddwrt as client vpn.

    im having 192.168.50.0/24 as my server networks
    192.168.5.0/24 as my client networks
    10.8.0.0/24 as tunnel networks

    please see my config:



    ![server 2.PNG](/public/imported_attachments/1/server 2.PNG)
    ![server 2.PNG_thumb](/public/imported_attachments/1/server 2.PNG_thumb)


    ![server routes.PNG](/public/imported_attachments/1/server routes.PNG)
    ![server routes.PNG_thumb](/public/imported_attachments/1/server routes.PNG_thumb)
    ![client route.PNG](/public/imported_attachments/1/client route.PNG)
    ![client route.PNG_thumb](/public/imported_attachments/1/client route.PNG_thumb)
    ![firewall wan.PNG](/public/imported_attachments/1/firewall wan.PNG)
    ![firewall wan.PNG_thumb](/public/imported_attachments/1/firewall wan.PNG_thumb)
    ![firewall lan.PNG](/public/imported_attachments/1/firewall lan.PNG)
    ![firewall lan.PNG_thumb](/public/imported_attachments/1/firewall lan.PNG_thumb)
    ![firewall openvpn.PNG](/public/imported_attachments/1/firewall openvpn.PNG)
    ![firewall openvpn.PNG_thumb](/public/imported_attachments/1/firewall openvpn.PNG_thumb)



  • @clint08:

    is this issue resolved? i think im having the same issue.

    You have a site-to-site with SSL/TLS auth. So this is another type of vpn server, also the DDWRT client seems to need special settings on the server, cause it doesn't provide the settings pfSense do.

    Here a guy got your problem fixed a view days ago: https://forum.pfsense.org/index.php?topic=127455.msg704739#msg704739



  • @bienicc:

    LinxS,

    Just make sure you put IP subnet of both sites into "IPv4 Remote network" fields (on both site), that I think you are done already. What you need is to pay attention to firewall rule at both sites, whether it allow to ping each other or not.

    That resolved my issue, (after making sure I restarted my VPN service), Thank you for your help  :D

    Next I am going to implement SSL/TLS as it is more secure than shared key  :)


Log in to reply