4. Site-2-site PFsense 2.4.2-p1 only 'working' in 1 direction

Site-2-site PFsense 2.4.2-p1 only 'working' in 1 direction

  • P

    Hi All,

    I am utterly confused, and hope somebody can enlighten me.

    Based my setup on https://www.nanoscopic.de/2017/07/simple-site-to-site-vpn-with-pfsense-and-openvpn/
    (Their site A & B is reversed from what I have explained below)

    First off, a correct OpenVPN Peer2Peer setup should allow for full access to the LAN on the other side of the link, right?
    No matter which direction you go Server -> client or Client -> Server.

    Situation

    Site A has
    static IP on WAN.
    1 openVPN server Remote Access SSL working just fine (port 1194)
    1 openVPN server  Peer2Peer Shared key (port 1195) with 'issues'
    Printers on LAN x.y.A.20 & x.y.A.21

    Site B has
    DHCP reserved IP on WAN (for now)
    1 openVPN server Remote Access SSL working just fine (port 1194)
    1 openVPN CLIENT  Peer2Peer Shared key (port 1195) might have 'issues'
    Printer on LAN x.y.B.20
    1 Windows PC on LAN x.y.B.201  to which I can remote in from home (from Site 'C' if you want)

    Both pfSense devices show the site-2-site as being UP on port 1195
    I can connect from site C using the other VPN to both location on port 1194, no issues.

    Rdesktop into Windows PC on site B, and can access Site B firewall via LAN address.
    From that same PC I cannot access Site A firewall on its regular LAN Ip, but can bring it up in a browser using the Tunnel IP that it got assigned.
    Confirming that there is some communication going on.

    From Site B, I cannot ping pfSense or  the printers on the LAN at SITE A
    However from the webinterface from pfSense at site A I can ping the printer on Site B, hinting that 50% of the site-2-site is kind'a working?

    So from the VPN server side I seem to be able to get into the client LAN (Not needed at this point but OK)
    Site A office is closed and I do not have access to a PC on the lan to fully test access to printers on site B, I assume it works.

    From the site B (client) side I CANNOT get into the serverside LAN, no pings from the site B pfSense, let alone from the PC.

    Both sides have the s2sVPN assigned to an interface
    and both sides have  the usual IPV4* ALLOW ALL rule under this interface.

    Both sides allow traffic on IPv4 UDP ports 1194 & 1195 WAN address (firewall rules)

    Couple things I noticed.
    Nowhere in the pfSense server config screen I see Local Network (Tunnel and Remote are there)
    Same in the client config on site B, but that is kind'a expected.

    On Site B (client) the following Outbound NAT was added:
    x.y.A.0/24 x.y.B.0/24 (+ tunnel networks for both VPNs and local 127)
    So both LANs are there.

    On Site A (server) however the Outbound NAT does not mention
    x.y.B.0/24 the client network, only the local LAN is there + tunnel networks for both VPNs and local 127

    Adding this x.y.B.0/24 manually (2 rules) does not seem to solve the problem.
    (Changing to Hybrid outbound NAT)

    Now is this whole situation caused by a bug ('missing local network?')  or am I missing something?

    All suggestions and help appreciated.

    Regards

    P

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy