Communication between two devices not working over Site to Site OpenVPN

kranitz

Hi all,

I have a site to site VPN connection set up between two pfSense boxes with the intention of letting a surveillance camera system at one site talk to a NAS at another site.

While I can ping devices from the firewall on either side and get great response, I cannot get the devices to talk…

I have a rule (firewall/rules/openvpn) set up on both pfsense to allow ALL traffic.

When I capture packets, the only thing I keep seeing is this:
10.10.101.20 > 10.10.100.25: ICMP echo request, id 17168, seq 1, length 64
18:48:47.800469 AF IPv4 (2), length 88: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)

I never see an echo reply on the capture on either side!

It's basically saying the same thing on the other pfsense when capturing packets. ICMP requests and that's all.

Any ideas on why the security camera NVR cannot initialize the NFS connection with the Synology NAS?

Thanks in advance,

Mitch

viragomann

Are the VPN endpoints the default gateway in their respective networks?
Responses will be sent to the default gateway.

kranitz

Uhhhh. um. I know enough to screw things up, but I'm not totally sure how to go about verifying that! Can you help? (and can you fly out here and log on and configure it for me too!!) just kidding!

kranitz

Each device (NAS, NVR) on either end has the default gateway set as the pfSense.

viragomann

@kranitz:

While I can ping devices from the firewall on either side and get great response, I cannot get the devices to talk…

Do you also get responses if you select another source address like WAN or OpenVPN server?

If you don't get response with other sources than the default you should consider that the NAS may block access from IP addresses which do not belong to its own subnet.

chpalmer

Ive never had very good luck for whatever reason using  " Any Any" in firewall rules.  Pick "LAN network" for destination and "Network" for source with the remote network parameters filled in.

If you don't get response with other sources than the default you should consider that the NAS may block access from IP addresses which do not belong to its own subnet.

Some cameras as well do this.

kranitz

Well, I ended up blowing away all the OpenVPN settings and rules I had created, then created a new site-to-site PKI OpenVPN connection, and then I created Client Specific Overrides (iroute x.x.x.x y.y.y.y) and voila! IT WORKED!

THANKS so much for all your suggestions - much appreciated…