[SOLVED] OpenVPN Site to Site still Ping / RDP not working



  • Hi,

    i have setup a OpenVPN Site to Site between 2 pfsense (v. 2.4.1).

    I can access many devices from the other site for example:

    https to pfsense works
    https to wlan ap works

    but

    ping to other site still not working
    and rdp connection also.

    My setup:

    Pfsense Server:
    LAN: 192.168.10.0/24
    Tunnel Network: 10.10.15.0/30
    WAN: Dynamic PPPOE VDSL

    Pfsense Client:
    LAN: 192.168.15.0/24
    Tunnel: 10.10.15.0/30
    WAN: Static IP VDSL PPPOE

    Firewall on OpenVPN Tab and S2S Tab is on both site applied (any to any).

    I´m slowly really desperate. I read the official docs and ready several howtos.

    Ping from pfsense is working when i select as source "any" when i change to "lan" then i get no response.

    I have add pictures under attachments.

    Please Help!

    ![2017-11-09 21_58_30-m-pfSense.home.local - Status_ Dashboard.png](/public/imported_attachments/1/2017-11-09 21_58_30-m-pfSense.home.local - Status_ Dashboard.png)
    ![2017-11-09 21_58_30-m-pfSense.home.local - Status_ Dashboard.png_thumb](/public/imported_attachments/1/2017-11-09 21_58_30-m-pfSense.home.local - Status_ Dashboard.png_thumb)
    ![2017-11-09 22_01_47-m-pfSense.home.local - Diagnostics_ Routes.png](/public/imported_attachments/1/2017-11-09 22_01_47-m-pfSense.home.local - Diagnostics_ Routes.png)
    ![2017-11-09 22_01_47-m-pfSense.home.local - Diagnostics_ Routes.png_thumb](/public/imported_attachments/1/2017-11-09 22_01_47-m-pfSense.home.local - Diagnostics_ Routes.png_thumb)
    ![2017-11-09 22_02_53-m-pfSense.home.local - Firewall_ NAT_ Outbound.png](/public/imported_attachments/1/2017-11-09 22_02_53-m-pfSense.home.local - Firewall_ NAT_ Outbound.png)
    ![2017-11-09 22_02_53-m-pfSense.home.local - Firewall_ NAT_ Outbound.png_thumb](/public/imported_attachments/1/2017-11-09 22_02_53-m-pfSense.home.local - Firewall_ NAT_ Outbound.png_thumb)
    ![2017-11-09 22_04_24-m-pfSense.home.local - Firewall_ NAT_ Outbound.png](/public/imported_attachments/1/2017-11-09 22_04_24-m-pfSense.home.local - Firewall_ NAT_ Outbound.png)
    ![2017-11-09 22_04_24-m-pfSense.home.local - Firewall_ NAT_ Outbound.png_thumb](/public/imported_attachments/1/2017-11-09 22_04_24-m-pfSense.home.local - Firewall_ NAT_ Outbound.png_thumb)
    ![2017-11-09 22_05_01-m-pfSense.home.local - System_ Routing_ Gateways.png](/public/imported_attachments/1/2017-11-09 22_05_01-m-pfSense.home.local - System_ Routing_ Gateways.png)
    ![2017-11-09 22_05_01-m-pfSense.home.local - System_ Routing_ Gateways.png_thumb](/public/imported_attachments/1/2017-11-09 22_05_01-m-pfSense.home.local - System_ Routing_ Gateways.png_thumb)
    ![2017-11-09 22_06_18-m-pfSense.home.local - Status_ OpenVPN.png](/public/imported_attachments/1/2017-11-09 22_06_18-m-pfSense.home.local - Status_ OpenVPN.png)
    ![2017-11-09 22_06_18-m-pfSense.home.local - Status_ OpenVPN.png_thumb](/public/imported_attachments/1/2017-11-09 22_06_18-m-pfSense.home.local - Status_ OpenVPN.png_thumb)
    ![2017-11-09 22_07_47-pfSense_client - Status_ OpenVPN.png_thumb](/public/imported_attachments/1/2017-11-09 22_07_47-pfSense_client - Status_ OpenVPN.png_thumb)
    ![2017-11-09 22_09_27-m-pfSense.home.local - VPN_ OpenVPN_ Servers_ Edit.png](/public/imported_attachments/1/2017-11-09 22_09_27-m-pfSense.home.local - VPN_ OpenVPN_ Servers_ Edit.png)
    ![2017-11-09 22_09_27-m-pfSense.home.local - VPN_ OpenVPN_ Servers_ Edit.png_thumb](/public/imported_attachments/1/2017-11-09 22_09_27-m-pfSense.home.local - VPN_ OpenVPN_ Servers_ Edit.png_thumb)
    ![2017-11-09 22_29_32-pfSense.praxis.local - Gateway_client_pfsense.png_thumb](/public/imported_attachments/1/2017-11-09 22_29_32-pfSense.praxis.local - Gateway_client_pfsense.png_thumb)
    ![2017-11-09 22_29_32-pfSense.praxis.local - Gateway_client_pfsense.png](/public/imported_attachments/1/2017-11-09 22_29_32-pfSense.praxis.local - Gateway_client_pfsense.png)
    ![2017-11-09 22_07_47-pfSense_client - Status_ OpenVPN.png](/public/imported_attachments/1/2017-11-09 22_07_47-pfSense_client - Status_ OpenVPN.png)
    ![2017-11-09 22_13_21-interface_s2s_server_pfsense_config.png_thumb](/public/imported_attachments/1/2017-11-09 22_13_21-interface_s2s_server_pfsense_config.png_thumb)
    ![2017-11-09 22_13_21-interface_s2s_server_pfsense_config.png](/public/imported_attachments/1/2017-11-09 22_13_21-interface_s2s_server_pfsense_config.png)
    ![2017-11-09 22_13_21-interface_s2s_client_pfsense_config.png](/public/imported_attachments/1/2017-11-09 22_13_21-interface_s2s_client_pfsense_config.png)
    ![2017-11-09 22_13_21-interface_s2s_client_pfsense_config.png_thumb](/public/imported_attachments/1/2017-11-09 22_13_21-interface_s2s_client_pfsense_config.png_thumb)
    ![2017-11-09 22_19_38-pfSense.praxis.local - Firewall_ NAT_ Outbound.png_thumb](/public/imported_attachments/1/2017-11-09 22_19_38-pfSense.praxis.local - Firewall_ NAT_ Outbound.png_thumb)
    ![2017-11-09 22_19_38-pfSense.praxis.local - Firewall_ NAT_ Outbound.png](/public/imported_attachments/1/2017-11-09 22_19_38-pfSense.praxis.local - Firewall_ NAT_ Outbound.png)
    ![2017-11-09 22_23_07-server_pfsense_lan_ping_to_pfsense_client_packet_capture.png](/public/imported_attachments/1/2017-11-09 22_23_07-server_pfsense_lan_ping_to_pfsense_client_packet_capture.png)
    ![2017-11-09 22_23_07-server_pfsense_lan_ping_to_pfsense_client_packet_capture.png_thumb](/public/imported_attachments/1/2017-11-09 22_23_07-server_pfsense_lan_ping_to_pfsense_client_packet_capture.png_thumb)
    ![2017-11-09 22_27_21-m-pfSense.home.local - Gateway_server_pfsense.png](/public/imported_attachments/1/2017-11-09 22_27_21-m-pfSense.home.local - Gateway_server_pfsense.png)
    ![2017-11-09 22_27_21-m-pfSense.home.local - Gateway_server_pfsense.png_thumb](/public/imported_attachments/1/2017-11-09 22_27_21-m-pfSense.home.local - Gateway_server_pfsense.png_thumb)
    ![2017-11-09 22_10_28-pfSense.praxis.local - VPN_ OpenVPN_ Clients_ Edit.png_thumb](/public/imported_attachments/1/2017-11-09 22_10_28-pfSense.praxis.local - VPN_ OpenVPN_ Clients_ Edit.png_thumb)
    ![2017-11-09 22_10_28-pfSense.praxis.local - VPN_ OpenVPN_ Clients_ Edit.png](/public/imported_attachments/1/2017-11-09 22_10_28-pfSense.praxis.local - VPN_ OpenVPN_ Clients_ Edit.png)



  • The outbound NAT rules for the S2S on both sites are useless. You don't need theme, since the traffic is routed to the other site.

    Consider that computer systems block access from other subnets by default. HTTP servers are meant to be accessed from the internet, so they allow access from remote networks.
    So you will have to open up the computers firewalls for access from the remote subnet, or you set outbound NAT rules to translate the source IPs to the interface IPs.



  • Hi,

    @Viragomann
    thx for your reply. I have cleanup my outbound rules but nothing will change. How can i determine how the package goes though the tunnel (used adresses nat or not nat)?

    I have add some new pictures.

    Please help to solve this problem.

    thanks

    ![2017-11-10 11_03_58-pfsense_server - Firewall_ NAT_ Outbound.png](/public/imported_attachments/1/2017-11-10 11_03_58-pfsense_server - Firewall_ NAT_ Outbound.png)
    ![2017-11-10 11_03_58-pfsense_server - Firewall_ NAT_ Outbound.png_thumb](/public/imported_attachments/1/2017-11-10 11_03_58-pfsense_server - Firewall_ NAT_ Outbound.png_thumb)
    ![2017-11-10 11_08_10-pfsense_server - Diagnostics_ Ping.png](/public/imported_attachments/1/2017-11-10 11_08_10-pfsense_server - Diagnostics_ Ping.png)
    ![2017-11-10 11_08_10-pfsense_server - Diagnostics_ Ping.png_thumb](/public/imported_attachments/1/2017-11-10 11_08_10-pfsense_server - Diagnostics_ Ping.png_thumb)
    ![2017-11-10 11_10_59-pfsense_server - Diagnostics_ Traceroute.png](/public/imported_attachments/1/2017-11-10 11_10_59-pfsense_server - Diagnostics_ Traceroute.png)
    ![2017-11-10 11_10_59-pfsense_server - Diagnostics_ Traceroute.png_thumb](/public/imported_attachments/1/2017-11-10 11_10_59-pfsense_server - Diagnostics_ Traceroute.png_thumb)
    ![2017-11-10 11_13_43-pfsense_server - Diagnostics_ Traceroute incl. icmp.png](/public/imported_attachments/1/2017-11-10 11_13_43-pfsense_server - Diagnostics_ Traceroute incl. icmp.png)
    ![2017-11-10 11_13_43-pfsense_server - Diagnostics_ Traceroute incl. icmp.png_thumb](/public/imported_attachments/1/2017-11-10 11_13_43-pfsense_server - Diagnostics_ Traceroute incl. icmp.png_thumb)



  • You can use Packet Capture on pfSense, you find it in the Diagnostics menu.

    Do a capture on the remote LAN interface (where the destination device is connected to) while you try a ping. Filter for ICMP packets. So you can see if the packets are going out the LAN and which source and destination IP they have.



  • Hi,

    @viragomann
    i will start a capture and post the result shortly.

    Update:

    I have check the firewall logs and found something. The pfsense server send a ping i can see in the firewall logs (source -> destination) and on the pfsense client i can see that a ping is incoming from pfsense server but the same test show no entrys when i test it back from pfsense client. A ping send a request but the request get no response from pfsense client (Pfsense client (source) -> Pfsense server (destination)) is empty! How can i determine where is the response?

    thanks



  • The firewall log only shows requests on the interface where the packets come in, no responses.
    These can only be seen in a packet capture or any other network sniffer.



  • Now it works i can´t understand why i have test something and now it will works. More details and the final solution shortly! Thanks!



  • What i do:

    1. I have add two firewall rules from lan to s2s and to 192.168.15.0/24
    2. I add on both site routes for the opposite networks
    3. I add outbound rules from interface lan with source 10.10.15.0/30 to destination networks

    What the decisive step was i can´t say actually. I will still testing some settings and give feedback later.

    Thanks and bye



  • @rafael.seeck:

    3. I add outbound rules from interface lan with source 10.10.15.0/30 to destination networks

    That NAT rule translates source addresses of packets coming over vpn and destined to a LAN device to the pfSense LAN address. So for the LAN device it seems the packets come from inside the subnet. I already mentioned above.
    If that solve the issue, either the device firewall blocks access from addresses outside its own subnet or the vpn client / server is not the default gateway.



  • Hi,

    is it possible that i use two solutions for one problem?

    outbound nat and static routes?

    Is it possible that i get problems later?

    I add some pictures under the attachments.

    Thanks

    Ps:Do you know as it possible to join the official pfsense docs team to add this informations under openvpn site to site?

    ![2017-11-10 15_14_06-pfsense_server - Firewall_ NAT_ Outbound.png](/public/imported_attachments/1/2017-11-10 15_14_06-pfsense_server - Firewall_ NAT_ Outbound.png)
    ![2017-11-10 15_14_06-pfsense_server - Firewall_ NAT_ Outbound.png_thumb](/public/imported_attachments/1/2017-11-10 15_14_06-pfsense_server - Firewall_ NAT_ Outbound.png_thumb)
    ![2017-11-10 15_11_48-pfsense_server - Firewall_ Rules.png](/public/imported_attachments/1/2017-11-10 15_11_48-pfsense_server - Firewall_ Rules.png)
    ![2017-11-10 15_11_48-pfsense_server - Firewall_ Rules.png_thumb](/public/imported_attachments/1/2017-11-10 15_11_48-pfsense_server - Firewall_ Rules.png_thumb)
    ![2017-11-10 15_16_47-pfsense_server - System_ Routing_ Gateways.png](/public/imported_attachments/1/2017-11-10 15_16_47-pfsense_server - System_ Routing_ Gateways.png)
    ![2017-11-10 15_16_47-pfsense_server - System_ Routing_ Gateways.png_thumb](/public/imported_attachments/1/2017-11-10 15_16_47-pfsense_server - System_ Routing_ Gateways.png_thumb)
    ![2017-11-10 15_17_56-pfsense_server - System_ Routing_ Static Routes.png](/public/imported_attachments/1/2017-11-10 15_17_56-pfsense_server - System_ Routing_ Static Routes.png)
    ![2017-11-10 15_17_56-pfsense_server - System_ Routing_ Static Routes.png_thumb](/public/imported_attachments/1/2017-11-10 15_17_56-pfsense_server - System_ Routing_ Static Routes.png_thumb)



  • @rafael.seeck:

    outbound nat and static routes?

    You have set a static route?? You should never set static routes on vpn gateways!
    https://doc.pfsense.org/index.php/Static_Routes

    @rafael.seeck:

    is it possible that i use two solutions for one problem?

    Not with that outbound NAT rule. Since the source network is only the vpn tunnel subnet, it only affects packets coming from the client address respectively the server, not from the network behind.
    That's the same useless outbound NAT rule you had set before. The client or server won't access devices in the remote LAN aside from your testing.

    @rafael.seeck:

    Is it possible that i get problems later?

    Possibly with the static route.



  • Hi

    @Viragomann

    Thank you very much.

    Bye



  • Hi,

    @Viragomann

    when i disable the static route then the connection will break.

    What is wrong?

    thanks



  • The route have to be set by OpenVPN, depending on the entries in "Local Network(s)" and "Remote Network(s)" on both sites. If these entries are set, the routes should work.

    You can check the routing table in Diagnostic > Routes.

    Is that a SSL/TLS OpenVPN or a Preshared key?



  • Hi,

    i found this howto and following up.

    Now i have Peer to Peer SSL/TLS before it was a pre shared key setup.
    The connection is established but now i can´t access any ressources from the other site.

    What is wrong?

    Thanks

    ![2017-11-10 16_57_31pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png](/public/imported_attachments/1/2017-11-10 16_57_31pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png)
    ![2017-11-10 16_57_31pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png_thumb](/public/imported_attachments/1/2017-11-10 16_57_31pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png_thumb)
    ![2017-11-10 16_58_10-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png](/public/imported_attachments/1/2017-11-10 16_58_10-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png)
    ![2017-11-10 16_58_10-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png_thumb](/public/imported_attachments/1/2017-11-10 16_58_10-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png_thumb)
    ![2017-11-10 16_58_42-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png](/public/imported_attachments/1/2017-11-10 16_58_42-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png)
    ![2017-11-10 16_58_42-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png_thumb](/public/imported_attachments/1/2017-11-10 16_58_42-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png_thumb)
    ![2017-11-10 16_59_17-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png](/public/imported_attachments/1/2017-11-10 16_59_17-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png)
    ![2017-11-10 16_59_17-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png_thumb](/public/imported_attachments/1/2017-11-10 16_59_17-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png_thumb)
    ![2017-11-10 16_59_43-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png](/public/imported_attachments/1/2017-11-10 16_59_43-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png)
    ![2017-11-10 16_59_43-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png_thumb](/public/imported_attachments/1/2017-11-10 16_59_43-pfsense_server - VPN_ OpenVPN_ Servers_ Edit.png_thumb)
    ![2017-11-10 17_03_57-pfsense_server - VPN_ OpenVPN_ Client Specific Overrides_ Edit.png](/public/imported_attachments/1/2017-11-10 17_03_57-pfsense_server - VPN_ OpenVPN_ Client Specific Overrides_ Edit.png)
    ![2017-11-10 17_03_57-pfsense_server - VPN_ OpenVPN_ Client Specific Overrides_ Edit.png_thumb](/public/imported_attachments/1/2017-11-10 17_03_57-pfsense_server - VPN_ OpenVPN_ Client Specific Overrides_ Edit.png_thumb)
    ![2017-11-10 17_04_22pfsense_server - VPN_ OpenVPN_ Client Specific Overrides_ Edit.png](/public/imported_attachments/1/2017-11-10 17_04_22pfsense_server - VPN_ OpenVPN_ Client Specific Overrides_ Edit.png)
    ![2017-11-10 17_04_22pfsense_server - VPN_ OpenVPN_ Client Specific Overrides_ Edit.png_thumb](/public/imported_attachments/1/2017-11-10 17_04_22pfsense_server - VPN_ OpenVPN_ Client Specific Overrides_ Edit.png_thumb)



  • Why you set up a client specific override for a site-to-site? Do you plan to connect with multiple clients?
    Besides there is nothing to override, since the settings are the same as on server tab.

    Aside this it looks well. But what's about the client settings? And the routing table from both sites?



  • Hi,

    @Viragomann

    Why you set up a client specific override for a site-to-site? Do you plan to connect with multiple clients?

    No actually i plan no multiple clients -> I have remove client specific override.

    PFsense Server:
    In the routing table is not an entry for 192.168.15.0/24 (PFsense Client) only a tunnel network entry:

    Destination Gateway         Flags Use Mtu         Netif     Expire
    10.10.15.0/24 10.10.15.2 UGS 0 1500 ovpns4

    it does not look right ?!!? or??!!

    Complete table you can see in the attachments.

    PFSense Client:
    Complete in the attachments (Entry for 192.168.10.0/24 exists)

    The client configuration is also under the attachments.

    Thanks

    ![2017-11-10 20_58_01-pfsense_server - Diagnostics_ Routes.png](/public/imported_attachments/1/2017-11-10 20_58_01-pfsense_server - Diagnostics_ Routes.png)
    ![2017-11-10 20_58_01-pfsense_server - Diagnostics_ Routes.png_thumb](/public/imported_attachments/1/2017-11-10 20_58_01-pfsense_server - Diagnostics_ Routes.png_thumb)
    ![2017-11-10 21_11_00-pfSense_client - Diagnostics_ Routes.png](/public/imported_attachments/1/2017-11-10 21_11_00-pfSense_client - Diagnostics_ Routes.png)
    ![2017-11-10 21_11_00-pfSense_client - Diagnostics_ Routes.png_thumb](/public/imported_attachments/1/2017-11-10 21_11_00-pfSense_client - Diagnostics_ Routes.png_thumb)
    ![2017-11-10 21_12_28-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_1.png](/public/imported_attachments/1/2017-11-10 21_12_28-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_1.png)
    ![2017-11-10 21_12_28-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_1.png_thumb](/public/imported_attachments/1/2017-11-10 21_12_28-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_1.png_thumb)
    ![2017-11-10 21_13_14-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_2.png](/public/imported_attachments/1/2017-11-10 21_13_14-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_2.png)
    ![2017-11-10 21_13_14-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_2.png_thumb](/public/imported_attachments/1/2017-11-10 21_13_14-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_2.png_thumb)
    ![2017-11-10 21_14_44-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_3.png](/public/imported_attachments/1/2017-11-10 21_14_44-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_3.png)
    ![2017-11-10 21_14_44-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_3.png_thumb](/public/imported_attachments/1/2017-11-10 21_14_44-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_3.png_thumb)
    ![2017-11-10 21_15_15-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_4.png](/public/imported_attachments/1/2017-11-10 21_15_15-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_4.png)
    ![2017-11-10 21_15_15-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_4.png_thumb](/public/imported_attachments/1/2017-11-10 21_15_15-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_4.png_thumb)
    ![2017-11-10 21_16_50-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_5.png](/public/imported_attachments/1/2017-11-10 21_16_50-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_5.png)
    ![2017-11-10 21_16_50-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_5.png_thumb](/public/imported_attachments/1/2017-11-10 21_16_50-pfSense_client - VPN_ OpenVPN_ Clients_ Edit_5.png_thumb)



  • Hi,

    @Viragomann
    I have disable and enable vpn server and now i found an entry in the pfsense server routing table.

    See attachments

    Ping and Access is not possible!

    Thanks

    ![2017-11-10 21_35_01-pfsense_server - Diagnostics_ Routes_incl_192_168_15_0_24.png](/public/imported_attachments/1/2017-11-10 21_35_01-pfsense_server - Diagnostics_ Routes_incl_192_168_15_0_24.png)
    ![2017-11-10 21_35_01-pfsense_server - Diagnostics_ Routes_incl_192_168_15_0_24.png_thumb](/public/imported_attachments/1/2017-11-10 21_35_01-pfsense_server - Diagnostics_ Routes_incl_192_168_15_0_24.png_thumb)



  • Hi,

    my Site to Site is now running and i have setup according recommendation, it means that i have no static routes.

    The final solution was to reset the states and take a /30 tunnel network.

    Thx and Bye


Log in to reply