Site-to-site



  • Guys I am at a loss right now. For a week now I am trying to setup a site to site openvpn with two pfsense routers. I have setup the tunnel succesfully on the LAN interfaces of the routers, but no matter what I try, I can't ping client's net from the server's net and vice versa. I can ping the routers' tunnel IPs from the local LANs but I can't reach the remote networks. Funny thing is, from the client router I can ping(Diagnostics->Ping) the remote network(server's) normally but only from the VPN assigned interface.

    But from the server router I can't ping anything but the VPN tunnel IP of the client.

    Server:
    Peer to Peel(SSL/TLS)
    with UDP and TUN.
    I have completed the fields where the network CIDRs are requested. More specifically:
    Tunnel Network : 10.5.0.0/24
    Local Network : 192.168.1.0/24
    Remote Network (Client Router): 192.168.0.0/24

    Client:
    Peer to Peer(SSL/TLS)
    Everything the same to the server except the remote Network where I put the Server's LAN CIDR.

    I have assigned the VPN interfaces  with None IP (tried static as well, nothing changed). The Outbound NAT is set to Automatic in both routers. I have tried static routing with no luck at all as well.

    Please help, I think I am missing something obvious like a gateway or something but I have tried everything I found online, both for the 2.3 release, and for older ones. Both routers run the latest pfsense (2.3.4). I have disabled snort and squidguard just in case.

    The Road warrior VPNs are perfectly functional.

    Thank you in advance for your time.



  • Please post the servers and clients routing table.



  • You only need to assign interfaces if you're going to implement policy based routing across the tunnel.

    Post a network map.

    Post the server1.conf from the server and the client1.conf from the client.



  • OK so just to make reading easier:
    192.168.1.0/24 is the VPN server LAN network
    10.5.0.0/24 is the VPN tunnel network
    192.168.0.0/24 is the VPN client's network

    Also the client router is not the default gateway yet for all the devices in the client network.

    I am attaching three photos:
    -server routing tables
    -client routing tables
    -network map

    Now to the configurations.

    server.conf:

    dev ovpns1
    verb 11
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.1.1
    tls-server
    server 10.5.0.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    ifconfig 10.5.0.1 10.5.0.2
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'www.dionsa.com' 1"
    lport 1191
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.1.0 255.255.255.0"
    duplicate-cn
    route 192.168.0.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.4096
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float
    topology subnet
    tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

    client.conf

    dev ovpnc3
    verb 11
    dev-type tun
    tun-ipv6
    dev-node /dev/tun3
    writepid /var/run/openvpn_client3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.0.245
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client3.sock unix
    remote "server static ip" 1191
    ifconfig 10.5.0.2 10.5.0.1
    route 192.168.1.0 255.255.255.0
    ca /var/etc/openvpn/client3.ca
    cert /var/etc/openvpn/client3.cert
    key /var/etc/openvpn/client3.key
    tls-auth /var/etc/openvpn/client3.tls-auth 1
    resolv-retry infinite
    topology subnet
    remote-cert-tls server
    tls-version-min 1.2
    tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

    Thank you very much for your time.





    ![Network Map.jpg](/public/imported_attachments/1/Network Map.jpg)
    ![Network Map.jpg_thumb](/public/imported_attachments/1/Network Map.jpg_thumb)



  • @johnied:

    Also the client router is not the default gateway yet for all the devices in the client network.

    If the router isn't the default gateway, packets from the LAN devices to the remote network won't not be directed to the vpn client.

    So you either have to add a static route on each of the LAN devices on client site to direct packets destined for the servers LAN to pfSense or you do SNAT on client.



  • On each router I have a local VPN server with different tunnel network of course. For example on the client router I have a local VPN server(to have access until the site-to-site issue is resolved). The local VPN server's tunnel network is 10.1.0.0/24. In order to bypass the gateway constraint, I added an outbound NAT as shown in the picture attached, and that way I can see all devices through the above connection. The local VPN server is also in the LAN interface (same with the site-to-site client).

    I tried adding  the same NAT rule with the site-to-site tunnel IP(10.5.0.0/24) but no luck. Is there anything I have to change to the rule because it is the client router on the site-to-site VPN connection?

    Also how do I add a static route on each of the LAN devices on client site.
    The static routes fields are Destination network and Gateway. Where do i put the LAN device ip and what should the gateway be for it to work?

    What really bothers me is that:
    -I can't ping 192.168.0.245(the VPN client router LAN IP) from the server LAN.
    -From Diagnostics->Ping in the client router, I can ping every device in the server's LAN but only on the VPN site-to-site interface(on the LAN interface I cant ping to the server's network).
    -From Diagnostics->Ping in the server router, I can't ping anything on the client's network(not even in the VPN site-to-site interface).

    Thank you.

    ![Local VPN NAT.jpg](/public/imported_attachments/1/Local VPN NAT.jpg)
    ![Local VPN NAT.jpg_thumb](/public/imported_attachments/1/Local VPN NAT.jpg_thumb)



  • If you're running multiple vpn instances on pfSense you should assign an interface to the site-to-site client and server to avoid miss-routings.

    The NAT rule for the site-to-site should work with the settings like that one you've posted, except the source network should be 10.5.0.0/24.

    The static routes had to be added on the LAN devices, not on pfSense. The route would tell the device how to reach the remote subnet.

    @johnied:

    What really bothers me is that:
    -I can't ping 192.168.0.245(the VPN client router LAN IP) from the server LAN.
    -From Diagnostics->Ping in the client router, I can ping every device in the server's LAN but only on the VPN site-to-site interface(on the LAN interface I cant ping to the server's network).
    -From Diagnostics->Ping in the server router, I can't ping anything on the client's network(not even in the VPN site-to-site interface).

    Is the server really the default gateway in its LAN?
    Is the access allowed by firewall rules on both sites?



  • Guys thank you for your replies,

    Unfortunately it still doesn't work. Yes the server router is definitely the only gateway to the server's local lan. And the other is going to be in the near future.

    I added the NAT rule to the LAN interface and it still can't ping.

    I added on each router a VPN interface for their local VPN servers and after some troubles (I did't restart the service as the documentation CLEARLY states) everything is up and running with the OpenVPN Rules tab being empty on both sides.

    When I tracert from the Server's LAN the packet goes (obviously) through the gateway PFsense router, but then request times out. Shouldn't it be looking to the client router(10.5.0.2);

    Same goes for the client router.

    How can I forward these packets to the other router?

    And how can I do a packet trace on each router so that I can monitor further the problem?

    Thank you.



  • Just to clarify, on the VPN interfaces, no static ip has been set. Everything is default except from the Description



  • @johnied:

    I added the NAT rule to the LAN interface and it still can't ping.

    Would you show us?

    @johnied:

    When I tracert from the Server's LAN the packet goes (obviously) through the gateway PFsense router, but then request times out. Shouldn't it be looking to the client router(10.5.0.2);

    Whats about the firewall rules?

    @johnied:

    How can I forward these packets to the other router?

    And how can I do a packet trace on each router so that I can monitor further the problem?

    The packets should be routed and the routes are obviously correct.

    You can use Diagnostic > Packet capture for troubleshooting. You can do a capture on clients vpn interface while you ping from servers site to see if packets arrive.



  • I tried to do a reverse vpn topology:
    -The previous client became the server
    -The previous server became the client

    I am not OK with this setup, this is just for debugging purposes. Both VPN instances(client and server) have an allow all rule. I have NATed the server's network so that I can see it from the server because it is not the default gateway as I stated on a previous thread(then it was the client).

    Two Xanaxes(pills  ;D ;D ;D) later, I noticed that:

    Again the server cant ping the client's network(Diagnostics->Tools).

    I can ping the server's network from the client but only from the CLIENT VPN INTERFACE.

    SO does that mean that I cant pass traffic from VPN interface to LAN interface, and maybe that is the problem?



  • Usually that means that the server has no route set for the clients LAN network.



  • Would you show us?

    I am attaching the LAN rules table, the NAT rule you asked (and thank you very much by the way).

    The VPN interface consists only from one rule which is allow any to any IPv4.

    Thank you

    ![LAN rules.png](/public/imported_attachments/1/LAN rules.png)
    ![LAN rules.png_thumb](/public/imported_attachments/1/LAN rules.png_thumb)
    ![NAT rule.png](/public/imported_attachments/1/NAT rule.png)
    ![NAT rule.png_thumb](/public/imported_attachments/1/NAT rule.png_thumb)



  • Usually that means that the server has no route set for the clients LAN network.

    Ok, that is something. But how do I add that route? Static route doesn't seem to work.



  • Okay, that rule tells me that on the clients LAN anything is allowed. But what's on the clients OpenVPN interface or that one you've assigned to the client, where the packets should come in?

    In the NAT rule the source should be any. If you access from the servers LAN the packets will have a source IP of 192.168.1.0/24.

    The routes are set by the openvpn module. If they still looks like in the screenshot they should be okay and no NAT rule should be necessary in this case.



  • In the NAT rule the source should be any.

    Changed! Didn't notice that one.

    I am attaching from the client both the LAN rules and the client VPN interface.

    But how do I permit traffic between the two interfaces(LAN interface and VPN assigned interface)?
    Thinking out loud, this could be the solution so that the CLIENT's LAN communicates with the SERVER's LAN.

    Of course this does not work the other way around, but it would be a start.

    Thank you.

    ![CLIENT LAN INTERFACE.png](/public/imported_attachments/1/CLIENT LAN INTERFACE.png)
    ![CLIENT LAN INTERFACE.png_thumb](/public/imported_attachments/1/CLIENT LAN INTERFACE.png_thumb)
    ![CLIENT VPN INTERFACE.png](/public/imported_attachments/1/CLIENT VPN INTERFACE.png)
    ![CLIENT VPN INTERFACE.png_thumb](/public/imported_attachments/1/CLIENT VPN INTERFACE.png_thumb)



  • Traffic is permitted by filter rules on the firewall > rules > interface tab. The traffic is controlled on the incoming interface.
    So since you have a rule on openvpn interface which allow any from any to any, all devices connected to this interface have access to anywhere. So this rule permits also the access from the vpn servers LAN to the clients LAN.
    However, on servers site this traffic is also controlled by rules on the LAN interface.



  • Yes but since I have a LAN rule on both sides that allows any to any,with protocol any, why can't I ping the other network?

    Should I define any mysterious gateway perhaps?



  • The gateways are already set by OpenVPN and are shown in the routing tables.

    I already suggested to use packet capture for troubleshooting. For instance take a capture on the client on the OpenVPN interface, set the protocol to ICMP, start it and try a ping from the server to a LAN host behind the client. After stopping you should see the packets. Then try a ping from a servers sites LAN device. I you still see the packets, change the interface to LAN and check if you see the ping requests and the responses from the LAN device.



  • OK, while I was pinging from server's LAN (pinging from VPN's interface works ok), I packet captured client's VPN interface (ICMP only) and indeed I captured packets. But when I captured LAN interface no packets were recieved.

    So in order to be clear:
    SERVER PING from VPN INTERFACE–-->CLIENT packet capture on VPN INTERFACE

    16:30:11.577687 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59656, length 8
    16:30:11.581641 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17796, length 8
    16:30:11.581667 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17796, length 8
    16:30:11.633149 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 59656, length 8
    16:30:12.078581 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59657, length 8
    16:30:12.080301 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17797, length 8
    16:30:12.080326 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17797, length 8
    16:30:12.250552 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 59657, length 8
    16:30:12.580604 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59658, length 8
    16:30:12.587870 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17798, length 8
    16:30:12.587892 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17798, length 8

    It seems to reply but my ping fails (100% PACKET LOSS)

    SERVER PING from LAN INTERFACE  ---->CLIENT packet capture on VPN INTERFACE

    18:07:04.700947 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 29354, length 8
    18:07:04.700969 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 29354, length 8
    18:07:04.820259 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 9629, length 8
    18:07:04.875810 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 9629, length 8

    Exactly the same. It seems to reply but ping fails.

    SERVER PING from LAN INTERFACE ---->CLIENT packet capture on LAN INTERFACE
    Nothing gets captured.

    SERVER PING from VPN INTERFACE ---->CLIENT packet capture on LAN INTERFACE
    Nothing gets captured.

    I am posting the LAN Firewall Rules on Client.

    So if rules are allow all from any to any protocol on client's LAN, why can't I ping anything from the server's LAN to client's LAN.
    What am I doing wrong here?

    ![PING problem.png](/public/imported_attachments/1/PING problem.png)
    ![PING problem.png_thumb](/public/imported_attachments/1/PING problem.png_thumb)



  • Of course I am not pinging VPN tunnel IPs but client's LAN IPs. This is not visible on the packet capture logs.



  • I guess you have messed up your NAT.  ???
    To illuminate this, please post all your NAT rules (port forwarding, 1:1, outbound) from server an client.



  • OK here are the attachments.
    Npt and 1:1 are black in both routers.

    NAT is in Hybrid mode.

    I am grateful for your time.
    Thank you,

    ![SERVER Port Fw and 1-1 and Outbound.png](/public/imported_attachments/1/SERVER Port Fw and 1-1 and Outbound.png)
    ![SERVER Port Fw and 1-1 and Outbound.png_thumb](/public/imported_attachments/1/SERVER Port Fw and 1-1 and Outbound.png_thumb)
    ![CLIENT Port Fw and 1-1.png](/public/imported_attachments/1/CLIENT Port Fw and 1-1.png)
    ![CLIENT Port Fw and 1-1.png_thumb](/public/imported_attachments/1/CLIENT Port Fw and 1-1.png_thumb)
    ![CLIENT Outbound.png](/public/imported_attachments/1/CLIENT Outbound.png)
    ![CLIENT Outbound.png_thumb](/public/imported_attachments/1/CLIENT Outbound.png_thumb)



  • @johnied:

    SERVER PING from LAN INTERFACE  –-->CLIENT packet capture on VPN INTERFACE

    18:07:04.700947 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 29354, length 8
    18:07:04.700969 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 29354, length 8
    18:07:04.820259 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 9629, length 8
    18:07:04.875810 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 9629, length 8

    If the source address of ping is LAN there should be shown ICMP requests from coming from 192.168.1.1.
    I can find no reason in your NAT rules why the address should be translated.

    @johnied:

    SERVER PING from VPN INTERFACE–-->CLIENT packet capture on VPN INTERFACE

    16:30:11.577687 IP 10.5.0.2 > 10.5.0.1: ICMP echo request, id 60760, seq 59656, length 8
    16:30:11.581641 IP 10.5.0.1 > 10.5.0.2: ICMP echo request, id 54791, seq 17796, length 8
    16:30:11.581667 IP 10.5.0.2 > 10.5.0.1: ICMP echo reply, id 54791, seq 17796, length 8
    16:30:11.633149 IP 10.5.0.1 > 10.5.0.2: ICMP echo reply, id 60760, seq 59656, length 8
    It seems to reply but my ping fails (100% PACKET LOSS)

    This capture shown ping requests from the client to the server, not backwards.  ???

    I think all the pings shown here come from gateway monitoring (dpinger). To get a feasible outcome you should deactivate gateway monitoring on the vpn GWs in System > Routing > Gateways and rerun the test.



  • OK, after disabling Gateway Monitoring(Checked the box Disable Gateway Monitoring), and disabling the reverse test connection(server as client, client as server, different tunnel network) here are the results:

    SERVER VPN INT to CLIENT VPN INT:
    Nothing gets captured.

    CLIENT VPN INT to SERVER VPN INT:
    20:16:08.987196 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 0, length 64
    20:16:08.987779 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 0, length 64
    20:16:10.045360 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 1, length 64
    20:16:10.045857 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 1, length 64

    CLIENT LAN INT to SERVER VPN INT:
    Nothing gets captured.

    CLIENT VPN INT to SERVER LAN INT:
    20:17:30.889581 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
    20:17:30.889655 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192
    20:17:33.177124 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 0, length 64
    20:17:33.177610 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 0, length 64
    20:17:34.236385 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 1, length 64
    20:17:34.236938 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 1, length 64
    20:17:35.297149 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 2, length 64
    20:17:35.298138 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 2, length 64
    20:17:35.957371 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
    20:17:35.957446 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192

    After that test I tried setting both outbound NATs to manual and deleting all the mappings. Then switched back to Hybrid NAT on both. Exactly the same results.

    Of course I have backed up both, before deleting outbound NAT rules.



  • I am attaching the NAT rules now.

    ![SERVER NAT.png](/public/imported_attachments/1/SERVER NAT.png)
    ![SERVER NAT.png_thumb](/public/imported_attachments/1/SERVER NAT.png_thumb)
    ![CLIENT NAT.png](/public/imported_attachments/1/CLIENT NAT.png)
    ![CLIENT NAT.png_thumb](/public/imported_attachments/1/CLIENT NAT.png_thumb)



  • It also matters where the captures are taken from, client or server, vpn or LAN?

    @johnied:

    CLIENT VPN INT to SERVER VPN INT:
    20:16:08.987196 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 0, length 64
    20:16:08.987779 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 0, length 64
    20:16:10.045360 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 1, length 64
    20:16:10.045857 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 1, length 64

    This show pings from the clients vpn interface to a server sides LAN device.

    @johnied:

    CLIENT VPN INT to SERVER LAN INT:
    20:17:30.889581 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
    20:17:30.889655 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192
    20:17:33.177124 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 0, length 64
    20:17:33.177610 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 0, length 64
    20:17:34.236385 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 1, length 64
    20:17:34.236938 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 1, length 64
    20:17:35.297149 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 2, length 64
    20:17:35.298138 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 2, length 64
    20:17:35.957371 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
    20:17:35.957446 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192

    Same here. Were you pinging 192.168.1.201?



  • Yes, both lans have a test machine always open and their ips end with 201.
    So for client's lan this is 192.168.0.201.
    For server's lan 192.168.1.201.

    But I can't understand.
    If NATs are back to default, gateways are normal, routes are normal, why can't I ping from the one LAN to the other and vice versa.

    This is getting so frustrating.

    I even tried to set a Client Specific Override, but no luck.
    I actually doubt that this was right, because my client's VPN int ended up getting 10.5.0.0 as an IP.  :'(

    I am also attaching the server routes just in case you see something odd.

    My priority right now is to be able to see client's net from server's net.
    And I too far from that.

    Thanks again for your concern, I am really grateful.

    ![Server Routes.png](/public/imported_attachments/1/Server Routes.png)
    ![Server Routes.png_thumb](/public/imported_attachments/1/Server Routes.png_thumb)



  • That is the clients routing table, not the servers.

    Unless you tell me where the packets taken from, there is no way to interpret the captures correctly.



  • Yes I am sorry the client's routes.

    Unless you tell me where the packets taken from, there is no way to interpret the captures correctly.

    What do you mean? I perform ICMP Diagnostics->Packet Capture on the one router,and Diagnostics->Ping on the other router from the interfaces I describe in the header of every capture.

    What am I missing?

    From Server router Ping fails from every interface. VPN and LAN.

    From Client router Ping fails from LAN but succeeds from VPN interface.

    Something that occured to me: Both VPN interfaces (server and client) are using LAN as interface. Does this pose any threat?



  • Also when I run both site-to-site VPN connections, where in the first:
    A router is server, B router is client.
    And in the second(which was created for testing):
    A router is client, B router is server.

    Both routers behave the same. I can ping from vpn interfaces to the others LAN, but not from their LAN interfaces to the other LAN.



  • @johnied:

    What do you mean? I perform ICMP Diagnostics->Packet Capture on the one router,and Diagnostics->Ping on the other router from the interfaces I describe in the header of every capture.

    On which interface have you taken the capture? VPN?

    @johnied:

    Something that occured to me: Both VPN interfaces (server and client) are using LAN as interface. Does this pose any threat?

    ???
    @johnied:

    CLIENT VPN INT to SERVER VPN INT:
    20:16:08.987196 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 0, length 64
    20:16:08.987779 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 0, length 64
    20:16:10.045360 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 38425, seq 1, length 64
    20:16:10.045857 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 38425, seq 1, length 64

    This shows the client vpn ip pinging to a servers LAN device.

    The same as here:
    @johnied:

    CLIENT VPN INT to SERVER LAN INT:
    20:17:30.889581 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
    20:17:30.889655 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192
    20:17:33.177124 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 0, length 64
    20:17:33.177610 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 0, length 64
    20:17:34.236385 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 1, length 64
    20:17:34.236938 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 1, length 64
    20:17:35.297149 IP 10.5.0.2 > 192.168.1.201: ICMP echo request, id 46688, seq 2, length 64
    20:17:35.298138 IP 192.168.1.201 > 10.5.0.2: ICMP echo reply, id 46688, seq 2, length 64
    20:17:35.957371 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 156, seq 0, length 192
    20:17:35.957446 IP 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 156, seq 0, length 192

    Obviously taken on the servers LAN interface. I wonder why 192.168.1.2 is pinging the LAN at the same time.



  • Obviously taken on the servers LAN interface. I wonder why 192.168.1.2 is pinging the LAN at the same time.

    192.168.1.2 is just a wifi Access Point which checks if it has access to the gateway. It's not important. I should not have posted it.

    On which interface have you taken the capture? VPN?

    Both VPN interfaces and LAN interfaces. I clarify it in the line before the capture logs every time.

    This shows the client vpn ip pinging to a servers LAN device.

    Yes, because I don't get any packets captured when I am pinging from the LAN interface.
    I only capture packets, when I am pinging from the VPN interface.
    And only from the client router.

    From the Server I can't ping from LAN or VPN interface. Both fail.



  • Ok, I think I am close to my goal.
    I dismissed the idea of Peer to Peer(SSL/TLS) and went on to create a Peer to Peer(Shared Key) connection.

    Now I can ping from the Client LAN to the Server lan flawlessly.

    What I cant't do is ping from the Server LAN to the client LAN.

    I packet captured the client lan interface when ping from server lan interface and although I see the packet requests, there is no reply.

    The client packet capture logs on the LAN interface read:

    01:07:48.438501 IP 192.168.1.1 > 192.168.0.201: ICMP echo request, id 9946, seq 0, length 64
    01:07:49.432827 IP 192.168.1.1 > 192.168.0.201: ICMP echo request, id 9946, seq 1, length 64
    01:07:50.434429 IP 192.168.1.1 > 192.168.0.201: ICMP echo request, id 9946, seq 2, length 64

    and I am attaching the server ping procedure that had the above as a result.

    This must be a NAT issue isn't that right?

    ![Server Ping.png](/public/imported_attachments/1/Server Ping.png)
    ![Server Ping.png_thumb](/public/imported_attachments/1/Server Ping.png_thumb)



  • I can ping from Server LAN only the Client's LAN IP.
    I cannot ping any other device on the Network.

    Since Client's router is not the gateway of the whole network yes, I tried adding an Outbound NAT rule like the image attached.

    No luck however.

    If the client VPN is running on a Wan interface and not on a LAN, should the NAT rule use the WAN or the LAN interface?

    ![NAT rule client.png](/public/imported_attachments/1/NAT rule client.png)
    ![NAT rule client.png_thumb](/public/imported_attachments/1/NAT rule client.png_thumb)


  • Netgate

    I dismissed the idea of Peer to Peer(SSL/TLS) and went on to create a Peer to Peer(Shared Key) connection.

    Now I can ping from the Client LAN to the Server lan flawlessly.

    This is because you had the tunnel network as a /24.

    When you have an SSL/TLS OpenVPN server with a larger than /30 (or is it /29?) tunnel network it will be treated as a point-to-multipoint server instead of point-to-point. You must add the remote network to the server configuration, which creates the kernel route (OpenVPN route directive) into OpenVPN. You must also create a client-specific override and add the network to the Remote Networks which creates a route internal to OpenVPN (OpenVPN iroute directive) so OpenVPN knows which endpoint to send the traffic to. You must do this even if there is only one available endpoint. If you do not want to have to do this, make the tunnel network a /30.

    The client packet capture logs on the LAN interface read:

    01:07:48.438501 IP 192.168.1.1 > 192.168.0.201: ICMP echo request, id 9946, seq 0, length 64
    01:07:49.432827 IP 192.168.1.1 > 192.168.0.201: ICMP echo request, id 9946, seq 1, length 64
    01:07:50.434429 IP 192.168.1.1 > 192.168.0.201: ICMP echo request, id 9946, seq 2, length 64

    If that can ping the other way that is almost always the local firewall/antivirus/etc on the target that is 192.168.0.201. pfSense can't do much but send the request (which it is doing) and wait for the reply (which never comes).



  • If that can ping the other way that is almost always the local firewall/antivirus/etc on the target that is 192.168.0.201. pfSense can't do much but send the request (which it is doing) and wait for the reply (which never comes).

    Reply never comes when I ping from server's LAN interface.
    It replies normally when I ping from server's VPN interface.


  • Netgate

    Great. So check the firewall/antivirus/etc on 192.168.0.201. It looks like it is blocking pings.



  • I don't understand.

    192.168.0.201 is on the client's network.
    I checked and the firewall is off.
    So when I ping from the server's LAN interface it is not responding.
    When I ping from the server's VPN interface it responds normally.

    The client's router is not the main gateway of the client's network yet. I tried NATing the whole network but it does not work.

    NATing the network works only for the VPN server on the client's computer which is for remote administration only(not site-to-site).

    Should I add a static route to the specific PC(192.168.0.201) till I make the pfsense router the default gateway?


  • Netgate

    In the packet capture you can see the echo request leaving the Client LAN interface addressed to 192.168.0.201 and nothing coming back. The problem is somewhere outside of pfSense.

    Yes, pfSense has to be the gateway for the target device or you need to add a route on that host for the far side of the VPN tunnel with a gateway that is pfSense or the replies will be sent to the wrong place.

    Alternately you can place an outbound NAT rule on the client LAN interface so traffic sourced from the remote VPN network is NATted to the interface address there. Then replies will be same-subnet so the route will not be necessary.