Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to site between 4 offices

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jamerson
      last edited by

      Dear All,
      We have 4 offices al over the country, we have 4 hardware Pfsense installed and we are happy with the performace.
      Today we have builed 4 VPN OPENVPN site to site tunnels between the  offices and it does works fine ( thank you for the software).
      One of the offices has 5 VLANS which we managed to get the tunnel up and running however from the server side we can reach the machies on the client side we can rdp to the servers there, but from the client side we can't ping or connect to the servers behind the server lan below screenshot is a example how its configured.

      I've looked on the firewall logs on both firewalls but can't seem to find any block,
      Can Someone please advise where to look ? version we are using is 2.4.3

      Thank you

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        Do you have rules to allow access to the VLANs?  I have attached an example.

        Screenshot_20171214_140856.png
        Screenshot_20171214_140856.png_thumb

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • J
          Jamerson
          last edited by

          thank you for your answer,
          yes for each VLAN we have the rules to allow From VLAN30 to any to any

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Version 2.4.3? You mean the development version? Current production version is 2.4.2-patch1.

            You are not providing enough information for anyone to help you.

            You need to at least provide what networks are where and what local and remote networks are defined on the OpenVPN configurations.

            What kind of OpenVPN matters too. Is it SSL/TLS? Are they all connecting to one server or do they all have their own? etc.

            See the diagram in my sig for a hint at what kind of information is required.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              Jamerson
              last edited by

              @Derelict:

              Version 2.4.3? You mean the development version? Current production version is 2.4.2-patch1.

              You are not providing enough information for anyone to help you.

              You need to at least provide what networks are where and what local and remote networks are defined on the OpenVPN configurations.

              What kind of OpenVPN matters too. Is it SSL/TLS? Are they all connecting to one server or do they all have their own? etc.

              See the diagram in my sig for a hint at what kind of information is required.

              Thank you for your answer,
              yes I mean version 2.4.2 - Patch 1

              Server network is 10.10.10.0/24
              Client Network is 10.10.20.0/24
              the OEPNVPN we are using is a SSL PEER to PEER ( Shared key ) with AESA 256 bit Algorithm and SHA 512
              Tunnel ip is 10.6.0.0/24
              Each office is connecting to the same server and each tunnel has own IP
              10.6.0.0/24
              10.7.0.0/24
              10.8.0.0/24

              I hope i've provided enought information.
              i would like to create such diagram but which program can i use?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                the OEPNVPN we are using is a SSL PEER to PEER ( Shared key )

                A Peer-to-Peer OpenVPN server is either SSL/TLS or Shared key. It cannot be both. How is yours actually configured?

                Maybe post screen shots instead of an approximation of what you think you have done.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  Jamerson
                  last edited by

                  @Derelict:

                  the OEPNVPN we are using is a SSL PEER to PEER ( Shared key )

                  A Peer-to-Peer OpenVPN server is either SSL/TLS or Shared key. It cannot be both. How is yours actually configured?

                  Maybe post screen shots instead of an approximation of what you think you have done.

                  is Shared Key thank you no SSL thank you

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    OK so on each client side you need:

                    Remote Networks: 10.10.10.0/24,10.10.20.0/24

                    On the server instance for the first office you need:

                    Remote Networks: Remote networks on that side of the connection

                    Same for the server instances for the other two offices.

                    Firewall rules on the OpenVPN tab or the assigned interface tabs have to pass the desired traffic from the remote sites.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • J
                      Jamerson
                      last edited by

                      @Derelict:

                      OK so on each client side you need:

                      Remote Networks: 10.10.10.0/24,10.10.20.0/24

                      On the server instance for the first office you need:

                      Remote Networks: Remote networks on that side of the connection

                      Same for the server instances for the other two offices.

                      Firewall rules on the OpenVPN tab or the assigned interface tabs have to pass the desired traffic from the remote sites.

                      this correct,
                      on each office has on the openvpn interface allow any to any, but the issue now is internal from the client side which can't reach the server.
                      i see we have a floating rules on the client side, would this be affecting the routes? and also we are using a multi WAN on this office.

                      thank you for your continue support

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Please use specific IP addresses and a specific mode of testing so people can know exactly what you're talking about.

                        Thanks.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.