Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ovpn Client to Endian works! but not for all ip?

    OpenVPN
    2
    11
    1078
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Razorjack last edited by

      Hi guys, I'm John sorry if I bother you all, but I think have read online everything about this without find a real solution

      this is the problem: I successfully create a VPN client to server between Endian (server) and Pfsense (client) but I can't undestand why some ip address of the remote network (server: 192.168.172/24) and some ip address of the local network (192.168.173/24 client from server) are unreachable °_°

      so if with my computer 192.168.173.49 want to ping 192.168.172.99 is ok, but if i want to reach 192.168.172.20 not work! I've already checked the windows firewall and every computer can reach each other if they comunicate in the same lan, have already checked gateways on computer ethernet adapter.

      same thing if I'm at the office and from 192.168.172.99 want to ping 192.168.173.36 (ilo interface of my homeserver) all works, but if I want to reach my computer 192.168.173.49 not work… what the hell....

      this is my configuration, please help me if you can

      (only showing relevant setting)

      Home/Pfsense/Client configuration

      servermode: p2p(ssl/tls)
      protocol:         udp ipv4 only
      device: tun (also tested and same result with tap)
      interface:         wan
      server host: my office public ip
      server port: 1194
      description: openvpn2office
      user auth:         all blank
      tls config:         uncheked
      peer cert authority: Endian Exported CA
      client certificate: Endian Exported certificate
      enc Algorithm: BF-CBC 128 bit key,64 bit block
      enable NCP: enabled
      NCP Algorithms: AES-256-GCM and AES-128-GVM
      auth digest: SHA1 (160bit)
      hard crypto: no
      Ipv4 tunnel network: 10.55.8.0/24
      ipv4 remote network: blank but also tested with real remote network 192.168.172.0/24
      compression: LZO
      custom option: auth-user-pass /cf/conf/client100-auth.txt

      RULE on PFSENSE:

      OPENVPN inteface:
      States Protocol Source Port Destination Port Gateway Queue Schedule Description
      0 /1 KiB    IPv4 * *         * *                 * *         none OpenVPN  openvpn4office wizard

      NAT on PFSENSE
      Automatic Rules:
      Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
      WAN 127.0.0.0/8 192.168.173.0/24 10.55.8.0/24 * * 500 WAN address * Auto created rule for ISAKMP
      WAN 127.0.0.0/8 192.168.173.0/24 10.55.8.0/24 * * * WAN address * Auto created rule

      Mappings
      Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description Actions
      WAN 127.0.0.0/8 * * 500 WAN address * Auto created rule for ISAKMP - localhost to WAN
      WAN 127.0.0.0/8 * * * WAN address * Auto created rule - localhost to WAN
      WAN 192.168.173.0/24 * * 500 WAN address * Auto created rule for ISAKMP - LAN to WAN
      WAN 192.168.173.0/24 * * * WAN address * Auto created rule - LAN to WAN
      WAN 10.55.8.0/24 * * 500 WAN address * Auto created rule for ISAKMP - OpenVPN client to WAN
      WAN 10.55.8.0/24 * * * WAN address * Auto created rule - OpenVPN client to WAN

      office/Endian/server configuration

      auth type:         psk(username/password)
      cert:         Self created and exported for pfsense
      server port: 1194
      device: tun (also tested with tap, same result)
      protocol:         udp
      ipv4 tunnel network: 10.55.8.0/24
      bridged:         unchecked (want to use tunnel network)
      cert configuration: same as the above
      clt2clt connection: allow direct connection
      forced network: 192.168.172.0/24

      office/endian/user for ovpn config

      username:         myusername
      password:         mypassword (same as the file in pfsense configuration)
      certificate:         same as the other in endian
      vpn option
      force network: 192.168.172.0/24
      lan behind client:      192.168.173.0/24

      hope someone can find a solution... I've read about a net30 config in pfsense but I not use it
      and don't know in which wall I have to crush my head

      however, tunnel seems works fine, and some ip not responding thru the tunnel

      I've also follow another way, assign a OPT1 interface to openvpn tunnel, create Networks Alias and create also a rule to gateway the network thru the tunnel
      same result...

      I think Endian config is ok becouse I have in the beginning an Endian FW in my home and all works well (with incredibly lag caused by virtualized fw) so nothing was changed in the office configuration

      1 Reply Last reply Reply Quote 0
      • V
        viragomann last edited by

        Do not trust Windows firewalls! Disabling it, often does not deactivate it immediately.

        For a simple test to get closer to the problem you can use the ping tool from the pfSense GUI.
        Take an IP out of the office network which you can ping from a local device but not from remote. On the home pfSense go to the ping tool and enter the IP and run a ping with the default source selection. Then change the source to LAN address (the pfSense address in the 192.168.173.0/24 network) and run the ping again.
        If you get responses on the first run but not on the second check the firewall and the network settings on the destination device.

        1 Reply Last reply Reply Quote 0
        • R
          Razorjack last edited by

          Thanx Viragomann, I've tryed, doing a ping from Pfsense interface changed nothing, I can ping 192.168.172.99 but not 192.168.172.20 and same thing from Endian firewall, I can ping 192.168.173.36 but not 192.168.173.49 or 100

          local ip of both firewall are reachable, everything in their lan are reachable by ping and I've also checked the gateway and is correct.. (have only one gateway for each network)

          hard to find this problem, no entry on firewall log… I can't believe it

          1 Reply Last reply Reply Quote 0
          • R
            Razorjack last edited by

            ok man, as Viragomann says do not trust Windows Firewall, so I've solved Half of the route.

            now from pfsense (client) to endian (server) all works well, I can reach everythings in the office network.

            but I not the inverse, Endian have a route already and works if used with another endian Firewall so I think is Pfsense that block for some reason the traffic.

            have you an idea of what I need to check?

            1 Reply Last reply Reply Quote 0
            • V
              viragomann last edited by

              So you also have access from a client behind pfSense to a device in the LAN behind Endian? If so the routes on both sites should be fine.
              And since the firewall rule on pfSense OpenVPN interface allows any IPv4 access, it shouldn't block anything.

              To troubleshoot, you can use Packet capture from the pfSense Diagnostic menu.
              Take a capture on the OpenVPN interface, while you try to access a device from the other site. You should see the packets there, even if pfSense blocks them. If it doesn't block the traffic you should also see responses.
              If there are no packets arriving on the vpn interface, the traffic may not be routed into the VPN tunnel on Endian.
              If the packets are arriving, also take a capture on the LAN interface to see what's going on there.

              1 Reply Last reply Reply Quote 0
              • R
                Razorjack last edited by

                Viragomann thankyou in advance for your help, I've done what you suggest, and if from endian network (192.168.172/24) I ping pfsense ip 192.168.173.36

                packet capture see this on openvpn tunnel
                20:40:43.262508 IP 192.168.172.99 > 192.168.173.36: ICMP echo request, id 1, seq 2490, length 40
                20:40:43.270631 IP 192.168.173.36 > 192.168.172.99: ICMP echo reply, id 1, seq 2490, length 40

                instead if I ping my computer packet capture show this

                23:25:06.328269 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3866, length 40
                23:25:11.309302 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3867, length 40
                23:25:16.309808 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3868, length 40
                23:25:21.308759 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3869, length 40
                23:25:26.306973 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3870, length 40

                is right to suppose that the icmping pass the tunnel? why my computer not respond? is my computer? becouse if I ping everything in my home side all seems to be ok

                now I'll check the lan..

                ok monitoring the same ip on lan interface these are the results
                23:31:11.311218 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3945, length 40
                23:31:16.311602 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3946, length 40
                23:31:21.311830 IP 192.168.172.99 > 192.168.173.49: ICMP echo request, id 1, seq 3947, length 40

                monitoring instead my computer ip (192.168.173.49)
                ….
                what the...!! what the!!!! sorry man sorry al I can't believe it... DON'T TRUST WINDOWS FIREWALL and MICROSOFT UPDATE! I can't believe it...

                ok man all works perfect, windows firewall for some reason after the last windows 10 update reset all windows firewall rule... f@..k

                thankyou so much Viragomann, probably I can't go so near to the solution without your help, I'm newbie of Pfsense and many of the fantastic tool it have start to know it now..

                thakyou again

                John

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann last edited by

                  And your computer uses pfSense as gateway?

                  Maybe its firewall is blocking the access.

                  1 Reply Last reply Reply Quote 0
                  • R
                    Razorjack last edited by

                    Yes, my computer stay in home lan behind pfsense and use it as gateway

                    but there's a thing that I cannot explain… why my computer and so windows firewall let me to ping it from same subnet (another computer behind pfsense)
                    but refuse to answer to icmping if they come from the openvpn tunnel?

                    what I have to do is going to advanced firewall configuration of windows and enable every ICMPING out rule and for every rule set in advanced tab that is related to every 3 kind of zone: private,public and domain.

                    there's no meaning I think to do it but it's the only way to make it works, and I've tested with another computer (microserver in same subnet).

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann last edited by

                      That ping comes from the remote LAN not the OpenVPN tunnel, but that won't make any difference for the Windows firewall.
                      Since the network is not assigned to the computer, Windows sees it as "public".

                      If you don't want to modify all your computers firewalls you can also get it work by natting the source addresses to the pfSense LAN IP. So the access will seem to come from the local subnet and Windows will trust it. But if you do that, you don't see the real origin IP address on the destination device.

                      1 Reply Last reply Reply Quote 0
                      • R
                        Razorjack last edited by

                        that's the answer, I think for a little home network change windows firewall is enough, otherwise I think better looking to trust the remote subnet to make the windows firewall setting easyer

                        1 Reply Last reply Reply Quote 0
                        • V
                          viragomann last edited by

                          The NAT method is also called masquerading and that puts it in a nutshell. A Windows firewall by default only trusts devices in its own network and with this method it seems that the access comes from its own network segment.

                          To do this is an easy workaround as long as you have no need to determine the source device on the destination device.
                          So, in my opinion, its sufficient for home use, but in a business environment I would prefer the routing method and configure the firewalls to allowing access as needed.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post