can not ping access anything behind openvpn



  • since I'm confusing the one guy

    I have posted images
    without VPN on the home network I can access anything
    connected to VPN
    you can not ping the router the network you cant access nothing.. you loose internet
    all you can ping is the Virtual LAN IP givin which is the 192.168.100.2



  • so like the other article.. unable to reach LAN IP after connecting to openvpn



  • Nat Table
    0_1529090384204_nat1.jpg
    0_1529090395066_nat2.jpg
    0_1529090406901_nat3.jpg

    Rules Table
    0_1529090426481_rules1.jpg
    0_1529090437512_rules2.jpg

    Server Settings
    0_1529090453479_pfsense1.jpg
    0_1529090467532_pfsense2.jpg
    0_1529090479584_pfsense3.jpg
    0_1529090492481_pfsense4.jpg
    0_1529090503656_pfsense5.jpg
    0_1529090515298_pfsense6.jpg
    0_1529090528007_pfsense7.jpg

    client config info
    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    ncp-ciphers AES-256-GCM:AES-128-GCM
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 174.94.28.5 1194 udp
    verify-x509-name "mikeshouseserver" name
    pkcs12 pfSense-UDP4-1194-mikeshouseclient.p12
    tls-auth pfSense-UDP4-1194-mikeshouseclient-tls.key 1
    remote-cert-tls server0_1529090339973_nat2.jpg



  • not sure what all else you guys need to know but like I figure it must be something simple
    and I had watched this video
    https://www.youtube.com/watch?v=Q6YbCQEiC3c
    that covered how to setup a vpn I followed all the instructions but seems not to work
    I did the Force Client IP check box that didn't help

    and my next step later is to change my network from 192.168.0.x to like 192.168.250.x so there be no conflicts in theory..
    but if there is more info needed let me know..as I thought this was as simple as the video but hasn't seemed to help just lets me connect to the vpn and I loose all connectivity till I disconnect it


  • Rebel Alliance Global Moderator

    Dude your outbound nat is borked how do you think that is going to work??

    There is no guide anywhere that would tell you to setup such nonsense..

    What I would suggest is you delete all this - turn on automatic outbound nat, and run through the wizard... It takes all of 30 seconds to setup but what you have from your screenshots is just a mess!!!



  • not sure what you mean
    and I used to have automatic outbound nat.. but since you need set it to hybride when you want to use XBOX One behind pfsense.. but I still didn't get it to work still got Double Nat Type

    but the outbound settings I set it like the Pfsense Basics said in the video
    https://www.youtube.com/watch?v=Q6YbCQEiC3c
    at 8:30 into the video I set it...
    and ugh the screen shots are posted I scrollwed down ugh ill see if I can repost them in order.. ugh just a sec



  • I re uploaded them 1 file at a time so they are in order now
    and ill look for the wizard too
    ill delete it all and start over didn't know there was a wizard for openvpn just pfsense basics remote user vpn for the version I have



  • something they just added recently I seen
    wasn't in the video before openvpn interface to allow traffic from the remote users..

    ill look into seeing how to do this this must be reason why mine doesn't work



  • @comet424 NAT is required for the client not the router. You need to just create a NAT entry for your whole LAN segment (i.e. 192.168.0.0/24) and also for any other networks you need outbound (i.e. 192.168.100.0/24). Then if you need static port for a specific client you can add those and make sure they are up higher in the list. Also, make sure you have a NAT entry for 127.0.0.1 to be NAT'd as well or the pfsense box will not be able to reach out to the internet itself (updates, etc.).

    Beyond that, you need the appropriate firewall rules. If you don't have a firewall rule to allow traffic outbound and to reach the DNS server, etc, etc you won't be able to do anything either. My best advice is to create an Allow any protoctol from any source to any destination firewall rule on the OpenVPN interface and start there. If everything works, then you know that it has to do with your rule configuration. Start simple, then lock down.

    IT Rule number 1: It is almost always the simplest thing. Keep your initial testing simple before you get complex.



  • @bloodlogic ok ill look into this.. I was just following step by step from the video I posted above.. but since I tried these settings a month or so ago they added they forgot a openvpn interface to allow traffic from the remote users...

    I'm guessing that's what your talking about
    I re read what you wrote takes me a few times to read things to understand it dyslexia and learning disability.. I a visual learner not so much a words learner.. ill try to take what you said and what the video posted about this openvpn interface and incorporate it

    I appreciate the help from @johnpoz and @bloodlogic



  • @comet424 Here is a screenshot of my NAT settings. The "Gaming Console" is an Alias I created in pfsense for my gaming console IPs and gave them static to help with the problem with NAT mode

    0_1529091381029_Capture.JPG

    Notice how that rule is above the other global network rules to allow my whole LAN and LAB networks outbound NAT so that they match first for my gaming consoles.



  • Also, not all youtube videos are correct so I understand the confusion when you perform their steps and it doesn't work. If you understand the why of things in your network it serves you to better understand the how to make them work. Hope you get it working.


  • Rebel Alliance Global Moderator

    @bloodlogic wtf you hiding rfc1918 for? That sure is not going to help anyone understand anything.



  • @johnpoz Because while it is not globally useful unless you are on my network, it still puts my internal layout of my network out on the internet which saves a black hat recon work. All information is usable depending on the context. If you want to put yours out there than go ahead. That being said, I already specifically named the CIDR blocks that would need to be in the OPs entries in a previous reply as well as left the /24 bit at the end. ☺


  • Rebel Alliance Global Moderator

    Yeah ok sure <rolleyes> You might want to loosen up the tinfoil hat seems to be a bit tight ;)



  • ok I see I kinda confused why does it matter what comes first.. if your port forwarding say it just follows the rules in the list why it matter what comes first... I tried to copy yours.. I don't know if it will help for the couple issues I have.. and how did you rename Source to gaming Console doesn't it need an ip address here is what I just did
    I wish there was a up down button I had to fiddle with add up and down and stuff
    0_1529092339491_natagain.jpg

    oh and the video they edited I need a openvpn client interface this is what I did there was no instructions let me know if I did it right?
    I took a guess so don't get mad if I did wrong.. and will your gaming console settings fix the Double Nat Type in Xbox One has
    here the pics I did .. oh and other guy said run the wizard for openvpn I didn't find no such thing only the wizard to initially setup the network but nothing for openVPN to just click click click and openvpn is setup... maybe you know where to find it

    its for the OpenVPN Client setting0_1529092620054_openclient1.jpg
    0_1529092629686_openclient2.jpg
    0_1529092641268_openclient3.jpg
    0_1529092651315_openclient4.jpg
    0_1529092665299_openclient5.jpg
    0_1529092682745_openclient6.jpg
    0_1529092695036_openclient7.jpg



  • @bloodlogic you mentioned there all youtube videos not correct. which I understand
    is there a correct video or one with pictures to set it up properly that's verified correctly all the time.. as I mentioned I visual learner so I see things better then reading them...
    I do appreciate all the help so far.. some of the stuff confuses me so I have to re read things several times


  • Rebel Alliance Global Moderator

    @comet424 said in can not ping access anything behind openvpn:

    oh and the video they edited I need a openvpn client interface this is what I did there was no instructions let me know if I did it right?

    Because you DO NOT need an vpn interface for road warrior connectivity.. I wold say 90% of those videos are done by people that don't understand even the basics.. And many of them are for old versions as well.

    https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html

    Is really where you should be looking.



  • @comet424 It is perfectly fine to not know things. :) No, you don't need a OpenVPN client setup. Your phone is the client and the pfsense is the server. You can delete that. That being said, the Wizard for OpenVPN is the Wizard tab that you see there next to "Client Specific Overrides" in your screenshot for the OpenVPN menu.

    In regards to the ordering of rules, it matters because it works on a first matched only basis. If the global rule that allows that network outbound matches first, it is applied and your custom rule for just that one specific host is not even reached to know to do the static ports.

    Your main problem with NAT is likely due to the fact that you have hybrid on and I am not 100% on the ordering there. You should switch to manual outbound for the NAT type to be sure. Make sure you keep all the ones created by the automatic rules but now make sure your rule for your gaming console with static port is above the others.

    In regards to the "Gaming Console" entry, you can create aliases under "Firewall > Aliases" where you can group multiple addresses together into one logical entry. That field will take an alias. It shouldn't be needed in your case and the IP for your XBOX will do just fine.

    All of that will fix your overall other issues but to fix your VPN issue you need the firewall rule as I mentioned. The firewall rule is why you don't have any access if I had to make an educated guess.



  • @johnpoz ok thanks ill check it out
    ya like 4 months ago I was told I need vpn on the pfsense board because I wanted access to my network servers like my windows home servers and instead of changing each servers remote desktop port.. all I need is openvpn and I need it for security reasons was told I'm an idiot if I don't use vpn
    so I tried and I gave up after a while trying to follow several videos then was told but another user why I using pfsense use mikrotik but it costs money in the end this free and seems ok... but I followed the video I posted because it was the same current version of pfsense I using as I found the older videos didn't work.. and then because I posted on the youtube it didn't work I seen now how I mentioned they posted they forgot to add openvpn client.. reason why I just played with it with the pics

    ill check out the link you posted and ill follow those instructions and see how I get.. I appreciate all your help so far @johnpoz and @bloodlogic @onyxfire
    its a learning process always willing to learn sometimes I just need help cuz I get stumped


  • Rebel Alliance Global Moderator

    Dude it really is as simple as answer the simple questions in the wizard..



  • @onyxfire reason I set it to hybrid is because the few youtube videos posted for xbox and Double Nat Type for pfsense said you need to set it for this and then set a bunch of ports but it never helped in the end.. ill worry about that later...
    as for the alias ah cant be bothered I just have xbox one and 360 and a ps3 but only xbox one hooked up
    as for the wizards I see it now I didn't see it before.. also with dyslexia I miss read words.. like "mother" I sometimes read as "hello" reason why I need to re read things 3 4 times or so sometimes bad case I have..

    and reason I was using cell phone was easier for me to take to tim hortons or home depot and test the OpenVPN then taking the laptop in the store and then I installed Ping program so I could see if I could ping my local network least then I could test with a laptop..

    as I originally wanted to do Remote desktop server1.example.com remote desktop server2.example.com but was told I idiot no point In setting it up you need vpn as I been doing like 3389 port for server 1 3391 port for server 2.. and I didn't wanna do port forwarding anymore I wanted to connect like I do at home or least have reverse name look up I think its called like remote desktop server1.example.com

    @johnpoz and sorry I didn't see the wizard you mention ill try again.. I miss read the screen..