can not ping access anything behind openvpn
-
since I'm confusing the one guy
I have posted images
without VPN on the home network I can access anything
connected to VPN
you can not ping the router the network you cant access nothing.. you loose internet
all you can ping is the Virtual LAN IP givin which is the 192.168.100.2 -
so like the other article.. unable to reach LAN IP after connecting to openvpn
-
Nat Table
Rules Table
Server Settings
client config info
dev tun
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote 174.94.28.5 1194 udp
verify-x509-name "mikeshouseserver" name
pkcs12 pfSense-UDP4-1194-mikeshouseclient.p12
tls-auth pfSense-UDP4-1194-mikeshouseclient-tls.key 1
remote-cert-tls server -
not sure what all else you guys need to know but like I figure it must be something simple
and I had watched this video
https://www.youtube.com/watch?v=Q6YbCQEiC3c
that covered how to setup a vpn I followed all the instructions but seems not to work
I did the Force Client IP check box that didn't helpand my next step later is to change my network from 192.168.0.x to like 192.168.250.x so there be no conflicts in theory..
but if there is more info needed let me know..as I thought this was as simple as the video but hasn't seemed to help just lets me connect to the vpn and I loose all connectivity till I disconnect it -
Dude your outbound nat is borked how do you think that is going to work??
There is no guide anywhere that would tell you to setup such nonsense..
What I would suggest is you delete all this - turn on automatic outbound nat, and run through the wizard... It takes all of 30 seconds to setup but what you have from your screenshots is just a mess!!!
-
not sure what you mean
and I used to have automatic outbound nat.. but since you need set it to hybride when you want to use XBOX One behind pfsense.. but I still didn't get it to work still got Double Nat Typebut the outbound settings I set it like the Pfsense Basics said in the video
https://www.youtube.com/watch?v=Q6YbCQEiC3c
at 8:30 into the video I set it...
and ugh the screen shots are posted I scrollwed down ugh ill see if I can repost them in order.. ugh just a sec -
I re uploaded them 1 file at a time so they are in order now
and ill look for the wizard too
ill delete it all and start over didn't know there was a wizard for openvpn just pfsense basics remote user vpn for the version I have -
something they just added recently I seen
wasn't in the video before openvpn interface to allow traffic from the remote users..ill look into seeing how to do this this must be reason why mine doesn't work
-
@comet424 NAT is required for the client not the router. You need to just create a NAT entry for your whole LAN segment (i.e. 192.168.0.0/24) and also for any other networks you need outbound (i.e. 192.168.100.0/24). Then if you need static port for a specific client you can add those and make sure they are up higher in the list. Also, make sure you have a NAT entry for 127.0.0.1 to be NAT'd as well or the pfsense box will not be able to reach out to the internet itself (updates, etc.).
Beyond that, you need the appropriate firewall rules. If you don't have a firewall rule to allow traffic outbound and to reach the DNS server, etc, etc you won't be able to do anything either. My best advice is to create an Allow any protoctol from any source to any destination firewall rule on the OpenVPN interface and start there. If everything works, then you know that it has to do with your rule configuration. Start simple, then lock down.
IT Rule number 1: It is almost always the simplest thing. Keep your initial testing simple before you get complex.
-
@bloodlogic ok ill look into this.. I was just following step by step from the video I posted above.. but since I tried these settings a month or so ago they added they forgot a openvpn interface to allow traffic from the remote users...
I'm guessing that's what your talking about
I re read what you wrote takes me a few times to read things to understand it dyslexia and learning disability.. I a visual learner not so much a words learner.. ill try to take what you said and what the video posted about this openvpn interface and incorporate itI appreciate the help from @johnpoz and @bloodlogic
-
@comet424 Here is a screenshot of my NAT settings. The "Gaming Console" is an Alias I created in pfsense for my gaming console IPs and gave them static to help with the problem with NAT mode
Notice how that rule is above the other global network rules to allow my whole LAN and LAB networks outbound NAT so that they match first for my gaming consoles.
-
Also, not all youtube videos are correct so I understand the confusion when you perform their steps and it doesn't work. If you understand the why of things in your network it serves you to better understand the how to make them work. Hope you get it working.
-
@bloodlogic wtf you hiding rfc1918 for? That sure is not going to help anyone understand anything.
-
@johnpoz Because while it is not globally useful unless you are on my network, it still puts my internal layout of my network out on the internet which saves a black hat recon work. All information is usable depending on the context. If you want to put yours out there than go ahead. That being said, I already specifically named the CIDR blocks that would need to be in the OPs entries in a previous reply as well as left the /24 bit at the end.
-
Yeah ok sure <rolleyes> You might want to loosen up the tinfoil hat seems to be a bit tight ;)
-
ok I see I kinda confused why does it matter what comes first.. if your port forwarding say it just follows the rules in the list why it matter what comes first... I tried to copy yours.. I don't know if it will help for the couple issues I have.. and how did you rename Source to gaming Console doesn't it need an ip address here is what I just did
I wish there was a up down button I had to fiddle with add up and down and stuff
oh and the video they edited I need a openvpn client interface this is what I did there was no instructions let me know if I did it right?
I took a guess so don't get mad if I did wrong.. and will your gaming console settings fix the Double Nat Type in Xbox One has
here the pics I did .. oh and other guy said run the wizard for openvpn I didn't find no such thing only the wizard to initially setup the network but nothing for openVPN to just click click click and openvpn is setup... maybe you know where to find itits for the OpenVPN Client setting
-
@bloodlogic you mentioned there all youtube videos not correct. which I understand
is there a correct video or one with pictures to set it up properly that's verified correctly all the time.. as I mentioned I visual learner so I see things better then reading them...
I do appreciate all the help so far.. some of the stuff confuses me so I have to re read things several times -
@comet424 said in can not ping access anything behind openvpn:
oh and the video they edited I need a openvpn client interface this is what I did there was no instructions let me know if I did it right?
Because you DO NOT need an vpn interface for road warrior connectivity.. I wold say 90% of those videos are done by people that don't understand even the basics.. And many of them are for old versions as well.
https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html
Is really where you should be looking.
-
@comet424 It is perfectly fine to not know things. :) No, you don't need a OpenVPN client setup. Your phone is the client and the pfsense is the server. You can delete that. That being said, the Wizard for OpenVPN is the Wizard tab that you see there next to "Client Specific Overrides" in your screenshot for the OpenVPN menu.
In regards to the ordering of rules, it matters because it works on a first matched only basis. If the global rule that allows that network outbound matches first, it is applied and your custom rule for just that one specific host is not even reached to know to do the static ports.
Your main problem with NAT is likely due to the fact that you have hybrid on and I am not 100% on the ordering there. You should switch to manual outbound for the NAT type to be sure. Make sure you keep all the ones created by the automatic rules but now make sure your rule for your gaming console with static port is above the others.
In regards to the "Gaming Console" entry, you can create aliases under "Firewall > Aliases" where you can group multiple addresses together into one logical entry. That field will take an alias. It shouldn't be needed in your case and the IP for your XBOX will do just fine.
All of that will fix your overall other issues but to fix your VPN issue you need the firewall rule as I mentioned. The firewall rule is why you don't have any access if I had to make an educated guess.
-
@johnpoz ok thanks ill check it out
ya like 4 months ago I was told I need vpn on the pfsense board because I wanted access to my network servers like my windows home servers and instead of changing each servers remote desktop port.. all I need is openvpn and I need it for security reasons was told I'm an idiot if I don't use vpn
so I tried and I gave up after a while trying to follow several videos then was told but another user why I using pfsense use mikrotik but it costs money in the end this free and seems ok... but I followed the video I posted because it was the same current version of pfsense I using as I found the older videos didn't work.. and then because I posted on the youtube it didn't work I seen now how I mentioned they posted they forgot to add openvpn client.. reason why I just played with it with the picsill check out the link you posted and ill follow those instructions and see how I get.. I appreciate all your help so far @johnpoz and @bloodlogic @onyxfire
its a learning process always willing to learn sometimes I just need help cuz I get stumped