Site-2-site PFsense 2.4.2-p1 only 'working' in 1 direction



  • Hi All,

    I am utterly confused, and hope somebody can enlighten me.

    Based my setup on https://www.nanoscopic.de/2017/07/simple-site-to-site-vpn-with-pfsense-and-openvpn/
    (Their site A & B is reversed from what I have explained below)

    First off, a correct OpenVPN Peer2Peer setup should allow for full access to the LAN on the other side of the link, right?
    No matter which direction you go Server -> client or Client -> Server.

    Situation

    Site A has
    static IP on WAN.
    1 openVPN server Remote Access SSL working just fine (port 1194)
    1 openVPN server  Peer2Peer Shared key (port 1195) with 'issues'
    Printers on LAN x.y.A.20 & x.y.A.21

    Site B has
    DHCP reserved IP on WAN (for now)
    1 openVPN server Remote Access SSL working just fine (port 1194)
    1 openVPN CLIENT  Peer2Peer Shared key (port 1195) might have 'issues'
    Printer on LAN x.y.B.20
    1 Windows PC on LAN x.y.B.201  to which I can remote in from home (from Site 'C' if you want)

    Both pfSense devices show the site-2-site as being UP on port 1195
    I can connect from site C using the other VPN to both location on port 1194, no issues.

    Rdesktop into Windows PC on site B, and can access Site B firewall via LAN address.
    From that same PC I cannot access Site A firewall on its regular LAN Ip, but can bring it up in a browser using the Tunnel IP that it got assigned.
    Confirming that there is some communication going on.

    From Site B, I cannot ping pfSense or  the printers on the LAN at SITE A
    However from the webinterface from pfSense at site A I can ping the printer on Site B, hinting that 50% of the site-2-site is kind'a working?

    So from the VPN server side I seem to be able to get into the client LAN (Not needed at this point but OK)
    Site A office is closed and I do not have access to a PC on the lan to fully test access to printers on site B, I assume it works.

    From the site B (client) side I CANNOT get into the serverside LAN, no pings from the site B pfSense, let alone from the PC.

    Both sides have the s2sVPN assigned to an interface
    and both sides have  the usual IPV4* ALLOW ALL rule under this interface.

    Both sides allow traffic on IPv4 UDP ports 1194 & 1195 WAN address (firewall rules)

    Couple things I noticed.
    Nowhere in the pfSense server config screen I see Local Network (Tunnel and Remote are there)
    Same in the client config on site B, but that is kind'a expected.

    On Site B (client) the following Outbound NAT was added:
    x.y.A.0/24 x.y.B.0/24 (+ tunnel networks for both VPNs and local 127)
    So both LANs are there.

    On Site A (server) however the Outbound NAT does not mention
    x.y.B.0/24 the client network, only the local LAN is there + tunnel networks for both VPNs and local 127

    Adding this x.y.B.0/24 manually (2 rules) does not seem to solve the problem.
    (Changing to Hybrid outbound NAT)

    Now is this whole situation caused by a bug ('missing local network?')  or am I missing something?

    All suggestions and help appreciated.

    Regards

    P


Log in to reply