Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-2-site PFsense 2.4.2-p1 only 'working' in 1 direction

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 640 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peterlinuxgeek
      last edited by

      Hi All,

      I am utterly confused, and hope somebody can enlighten me.

      Based my setup on https://www.nanoscopic.de/2017/07/simple-site-to-site-vpn-with-pfsense-and-openvpn/
      (Their site A & B is reversed from what I have explained below)

      First off, a correct OpenVPN Peer2Peer setup should allow for full access to the LAN on the other side of the link, right?
      No matter which direction you go Server -> client or Client -> Server.

      Situation

      Site A has
      static IP on WAN.
      1 openVPN server Remote Access SSL working just fine (port 1194)
      1 openVPN server  Peer2Peer Shared key (port 1195) with 'issues'
      Printers on LAN x.y.A.20 & x.y.A.21

      Site B has
      DHCP reserved IP on WAN (for now)
      1 openVPN server Remote Access SSL working just fine (port 1194)
      1 openVPN CLIENT  Peer2Peer Shared key (port 1195) might have 'issues'
      Printer on LAN x.y.B.20
      1 Windows PC on LAN x.y.B.201  to which I can remote in from home (from Site 'C' if you want)

      Both pfSense devices show the site-2-site as being UP on port 1195
      I can connect from site C using the other VPN to both location on port 1194, no issues.

      Rdesktop into Windows PC on site B, and can access Site B firewall via LAN address.
      From that same PC I cannot access Site A firewall on its regular LAN Ip, but can bring it up in a browser using the Tunnel IP that it got assigned.
      Confirming that there is some communication going on.

      From Site B, I cannot ping pfSense or  the printers on the LAN at SITE A
      However from the webinterface from pfSense at site A I can ping the printer on Site B, hinting that 50% of the site-2-site is kind'a working?

      So from the VPN server side I seem to be able to get into the client LAN (Not needed at this point but OK)
      Site A office is closed and I do not have access to a PC on the lan to fully test access to printers on site B, I assume it works.

      From the site B (client) side I CANNOT get into the serverside LAN, no pings from the site B pfSense, let alone from the PC.

      Both sides have the s2sVPN assigned to an interface
      and both sides have  the usual IPV4* ALLOW ALL rule under this interface.

      Both sides allow traffic on IPv4 UDP ports 1194 & 1195 WAN address (firewall rules)

      Couple things I noticed.
      Nowhere in the pfSense server config screen I see Local Network (Tunnel and Remote are there)
      Same in the client config on site B, but that is kind'a expected.

      On Site B (client) the following Outbound NAT was added:
      x.y.A.0/24 x.y.B.0/24 (+ tunnel networks for both VPNs and local 127)
      So both LANs are there.

      On Site A (server) however the Outbound NAT does not mention
      x.y.B.0/24 the client network, only the local LAN is there + tunnel networks for both VPNs and local 127

      Adding this x.y.B.0/24 manually (2 rules) does not seem to solve the problem.
      (Changing to Hybrid outbound NAT)

      Now is this whole situation caused by a bug ('missing local network?')  or am I missing something?

      All suggestions and help appreciated.

      Regards

      P

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.