Can;t ping internal Network
-
I setup open vpn using the wizard and it works fine, only problem is I can not get to internal devices and ping them, i can ping the pfsense ip 192.168.1.1 but not the rest. Here are the rules
-
i can ping the pfsense ip 192.168.1.1 but not the rest.
Is pfSense the default gateway at the rest?
-
Yes it is
-
Also check if client firewalls are running and are blocking access from unknown networks.
-
Thanks for your help. I just bumped into something the only device that I can't ping is the server that is windows and it has a static dhcp from pfsense of 192.168.1.2 look like the coz is that it has static IP but that will be a problem
-
The Ping from windows CMD
-
Ok forget the IP thing. I tried to ping a phone S6 and a laptop windows 10 and did not ping the only thing I can ping is unifi AP, so I turned off windows firewall on the server and laptop and I can ping them now
-
any ideas anyone what the problem might ? be I never had to turn off firewalls to get to internal network using openvpn
-
The Windows firewalls? As you've figured out yourself.
The hosts firewalls block access from other subnets by default as already mentioned. So set up the firewalls to allow access from the VPN tunnel subnet.
You may also add a SNAT rule to pfSense which translates the VPN clients source IP of packets destined to a LAN host to the LAN IP. That's what many other dummy routers do by default.
-
What IP are you using for your remote clients, what network are you using for your tunnel..
What IP does your client have on its remote network..
Firewalls are going to block remote networks quite often yes.. Windows out of the box for sure not going to let you ping from a non local network.
So you are on some remote network, lets say starbucks and you get an IP 192.168.10.14.. Your tunnel network on pfsense is say 10.0.8/24 and your local home network behind pfsense is 192.168.1.. when you connect your remote client gets a 10.0.8.x IP it talks down the tunnel to get to 192.168.1/24 etc..
Where you can have problems is if your starbucks your at hands you a 192.168.1.x IP – now does your client know to go down the tunnel to get to a 192.168.1 IP or why should it - that is is local network. This is why 192.168.0 or .1 is normally bad idea to use as local network - this is too common and you could have problems when your on a remote network and want to vpn to your network.
I would suggest you change your network to something less common. Use a uncommon tunnel network, make sure all your local devices firewalls all for access from your tunnel network. And yes all your local devices if you want to be able to get to them remote would have to have internet access through pfsense.. ie they point to pfsense as their gateway.
Local software firewalls seem to be a killer for users.. Or they install some 3rd anti virus that is also running a firewall, etc.
-
Tunnel Network is 10.0.8.0/24
Pfsense gateway 192.168.1.1/24
client gets 10.0.0.8.2
