Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can not access Local network

    Scheduled Pinned Locked Moved
    OpenVPN
    3
    11
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      haaser
      last edited by

      Ok, so I am very new at this and have tried to follow the steps in getting this setup but I am failing somewhere. I have created the openvpn connection and have been able to get connected to the network. I have also been able to access the PF sense firewall page via the VPN connection but I can not connect to the camera system that resides on the same network.  I did a trace of traffic and I can see traffic flowing one way but not the other. I have also checked the Bypass firewall rules for traffic on the same interface. I have tried various firewall rules but can not seem to figure this out. Any suggestions or if you need more information please ask.

      16:20:41.495037 IP 10.10.8.2.35732 > 192.168.1.52.80: Flags , seq 3208726570, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0
      16:20:41.496151 IP 10.10.8.2.35733 > 192.168.1.52.80: Flags , seq 1541128180, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0
      16:20:41.745882 IP 10.10.8.2.35734 > 192.168.1.52.80: Flags , seq 2915606878, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0
      16:20:44.495061 IP 10.10.8.2.35733 > 192.168.1.52.80: Flags , seq 1541128180, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0
      16:20:44.496042 IP 10.10.8.2.35732 > 192.168.1.52.80: Flags , seq 3208726570, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0
      16:20:44.746778 IP 10.10.8.2.35734 > 192.168.1.52.80: Flags , seq 2915606878, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Is the pfSense internal interface IP set as default gateway on the camera?

        On which interface have you taken that capture?

        1 Reply Last reply Reply Quote 0
        • H
          haaser
          last edited by

          I am not sure what you mean about the camera but locally we can access the camera's but can not access them via the VPN. The camera system does have the same gateway address as the pfsense firewall and not the 10.10.8.0/24 address range.

          That capture was taken on the Local interface or em1. The following capture is taken from ovpns1.

          [2.4.2-RELEASE][root@]/root: tcpdump -n -nn -i ovpns1 host 192.168.1.52
          tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
          listening on ovpns1, link-type NULL (BSD loopback), capture size 262144 bytes
          19:07:13.536621 IP 10.10.8.2.50353 > 192.168.1.52.80: Flags , seq 696807843, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0
          19:07:13.780103 IP 10.10.8.2.50354 > 192.168.1.52.80: Flags , seq 1411888200, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0
          19:07:16.538646 IP 10.10.8.2.50353 > 192.168.1.52.80: Flags , seq 696807843, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0
          19:07:16.788616 IP 10.10.8.2.50354 > 192.168.1.52.80: Flags , seq 1411888200, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0
          19:07:22.536466 IP 10.10.8.2.50353 > 192.168.1.52.80: Flags , seq 696807843, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0
          19:07:22.783167 IP 10.10.8.2.50354 > 192.168.1.52.80: Flags , seq 1411888200, win 64240, options [mss 1289,nop,wscale 8,nop,nop,sackOK], length 0

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            The VPN is another netword segment than the LAN. To send packets to devices in another network segment you need a gateway. In your case this must be the internal IP of pfSense.
            If the camera doesn't provide a gateway option or the gateway should not be the pfSense IP, you have to do NAT.

            1 Reply Last reply Reply Quote 0
            • H
              haaser
              last edited by

              The IP range of pfsense and the camera's are all on the same 192.168.1.0/24 subnet. I am assuming that I will need to NAT traffic from 192.168.1.0/24 to 10.10.8.0/24 ? Sorry but I am new to this and I somewhat understand what I need to do but I am not familar what needs to be done in PFSense. Is there a guide or can you walk me through what I need to do?

              1 Reply Last reply Reply Quote 0
              • H
                haaser
                last edited by

                Maybe I have something else wrong. It just feels like what I have been reading that I should be able to access local resources when connecting to the VPN without doing any NAT. I added 192.168.1.0/24 under the IPv4 Local network(s) but I just can not get it working.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  Is the pfSense internal network interface IP set as gateway on the camera??
                  I'd to ask you this question three times now - still not knowing what's the thing.

                  1 Reply Last reply Reply Quote 0
                  • H
                    haaser
                    last edited by

                    The camera ip address is 192.168.1.52 and the gateway for the camera is set to 192.168.1.150 (Which is the pfsense box).

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      So you should be able to access it from the VPN client.

                      Was it set this way already as you've taken the capture you posted above?
                      If the camera has a gateway option and it is set to pfSense you should also see responses there.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        If the camera has a gateway that points back to pfsense, then yes you could be able to access it.  From your sniff pfsense is sending the traffic. Does the camera have a firewall or block access from networks not local?

                        Pfsense can ping the camera IP?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • H
                          haaser
                          last edited by

                          Ok, so I was doing some more tracing and I was checking the config files when I found that someone changed the gateway on the camera system to 192.168.1.1 as soon as I changed it back to 192.168.1.150 everything started working again. Sorry for the problems but all is solved and working. Thanks very much for the help! It is much appreciated.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post