[SOLVED] OpenVPN Site to Site still Ping / RDP not working
-
Hi,
i have setup a OpenVPN Site to Site between 2 pfsense (v. 2.4.1).
I can access many devices from the other site for example:
https to pfsense works
https to wlan ap worksbut
ping to other site still not working
and rdp connection also.My setup:
Pfsense Server:
LAN: 192.168.10.0/24
Tunnel Network: 10.10.15.0/30
WAN: Dynamic PPPOE VDSLPfsense Client:
LAN: 192.168.15.0/24
Tunnel: 10.10.15.0/30
WAN: Static IP VDSL PPPOEFirewall on OpenVPN Tab and S2S Tab is on both site applied (any to any).
I´m slowly really desperate. I read the official docs and ready several howtos.
Ping from pfsense is working when i select as source "any" when i change to "lan" then i get no response.
I have add pictures under attachments.
Please Help!
 -
The outbound NAT rules for the S2S on both sites are useless. You don't need theme, since the traffic is routed to the other site.
Consider that computer systems block access from other subnets by default. HTTP servers are meant to be accessed from the internet, so they allow access from remote networks.
So you will have to open up the computers firewalls for access from the remote subnet, or you set outbound NAT rules to translate the source IPs to the interface IPs. -
Hi,
@Viragomann
thx for your reply. I have cleanup my outbound rules but nothing will change. How can i determine how the package goes though the tunnel (used adresses nat or not nat)?I have add some new pictures.
Please help to solve this problem.
thanks
 -
You can use Packet Capture on pfSense, you find it in the Diagnostics menu.
Do a capture on the remote LAN interface (where the destination device is connected to) while you try a ping. Filter for ICMP packets. So you can see if the packets are going out the LAN and which source and destination IP they have.
-
Hi,
@viragomann
i will start a capture and post the result shortly.Update:
I have check the firewall logs and found something. The pfsense server send a ping i can see in the firewall logs (source -> destination) and on the pfsense client i can see that a ping is incoming from pfsense server but the same test show no entrys when i test it back from pfsense client. A ping send a request but the request get no response from pfsense client (Pfsense client (source) -> Pfsense server (destination)) is empty! How can i determine where is the response?
thanks
-
The firewall log only shows requests on the interface where the packets come in, no responses.
These can only be seen in a packet capture or any other network sniffer. -
Now it works i can´t understand why i have test something and now it will works. More details and the final solution shortly! Thanks!
-
What i do:
1. I have add two firewall rules from lan to s2s and to 192.168.15.0/24
2. I add on both site routes for the opposite networks
3. I add outbound rules from interface lan with source 10.10.15.0/30 to destination networksWhat the decisive step was i can´t say actually. I will still testing some settings and give feedback later.
Thanks and bye
-
3. I add outbound rules from interface lan with source 10.10.15.0/30 to destination networks
That NAT rule translates source addresses of packets coming over vpn and destined to a LAN device to the pfSense LAN address. So for the LAN device it seems the packets come from inside the subnet. I already mentioned above.
If that solve the issue, either the device firewall blocks access from addresses outside its own subnet or the vpn client / server is not the default gateway. -
Hi,
is it possible that i use two solutions for one problem?
outbound nat and static routes?
Is it possible that i get problems later?
I add some pictures under the attachments.
Thanks
Ps:Do you know as it possible to join the official pfsense docs team to add this informations under openvpn site to site?
 -
outbound nat and static routes?
You have set a static route?? You should never set static routes on vpn gateways!
https://doc.pfsense.org/index.php/Static_Routesis it possible that i use two solutions for one problem?
Not with that outbound NAT rule. Since the source network is only the vpn tunnel subnet, it only affects packets coming from the client address respectively the server, not from the network behind.
That's the same useless outbound NAT rule you had set before. The client or server won't access devices in the remote LAN aside from your testing.Is it possible that i get problems later?
Possibly with the static route.
-
-
Hi,
when i disable the static route then the connection will break.
What is wrong?
thanks
-
The route have to be set by OpenVPN, depending on the entries in "Local Network(s)" and "Remote Network(s)" on both sites. If these entries are set, the routes should work.
You can check the routing table in Diagnostic > Routes.
Is that a SSL/TLS OpenVPN or a Preshared key?
-
Hi,
i found this howto and following up.
Now i have Peer to Peer SSL/TLS before it was a pre shared key setup.
The connection is established but now i can´t access any ressources from the other site.What is wrong?
Thanks
 -
Why you set up a client specific override for a site-to-site? Do you plan to connect with multiple clients?
Besides there is nothing to override, since the settings are the same as on server tab.Aside this it looks well. But what's about the client settings? And the routing table from both sites?
-
Hi,
Why you set up a client specific override for a site-to-site? Do you plan to connect with multiple clients?
No actually i plan no multiple clients -> I have remove client specific override.
PFsense Server:
In the routing table is not an entry for 192.168.15.0/24 (PFsense Client) only a tunnel network entry:Destination Gateway Flags Use Mtu Netif Expire
10.10.15.0/24 10.10.15.2 UGS 0 1500 ovpns4it does not look right ?!!? or??!!
Complete table you can see in the attachments.
PFSense Client:
Complete in the attachments (Entry for 192.168.10.0/24 exists)The client configuration is also under the attachments.
Thanks
 -
Hi,
@Viragomann
I have disable and enable vpn server and now i found an entry in the pfsense server routing table.See attachments
Ping and Access is not possible!
Thanks
 -
Hi,
my Site to Site is now running and i have setup according recommendation, it means that i have no static routes.
The final solution was to reset the states and take a /30 tunnel network.
Thx and Bye