Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Clients in OPT1 network not reachable through tunnel

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 479 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      OM606
      last edited by

      Hi

      I have two pfsense which are connected through a IPSec VPN.

      (192.168.30.0/24-LAN----Site-A)---------------(IPSec VPN)---------------(Site-B----OPT1-10.10.10.0/24)

      On site-A everything works fine. This means if send a ping from site-B to site-A i can reach every client which is in the LAN of site-A through the IPSec tunnel.

      But the clients which are on site-B in the OPT1 network can not be reached through ping from any LAN client on site-A. However, the OPT1 interface IP can be reached through ping from LAN site-A.

      could it be a routing problem so SiteB does not know on which interface to send out packets for the network OPT1?
      Firewall is open (any-any-any) on all involved interfaces.

      Strangely, when i configured the VPN with OpenVPN instead of IPSec (which i did first) i had exactly the same problem.

      How can i analyze this problem?

      Regards and thanks,
      Markus

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @OM606
        last edited by Konstanti

        @om606
        Hey
        First of all,I would check the rules on the interface Lan Site A
        Is there any floating rules PF SiteA?
        I would check so :
        you start ping 192.168.30.0 / 24 -- > 10.10.10.0/24 (not IP OPT1 Site B)
        1.Site A (Diagnostics / packet capture)
        interface WAN
        Address Family IPV4
        Protocol ESP
        Host IP address of the second side of the tunnel

        Show me what happens at this moment

        Ideally , you should see the IP packet exchange with the other side of the tunnel .
        For example,
        0_1549713506920_093deebc-cd9d-4f27-ba21-40e2a4d11ef3-image.png

        Now me interests, whether leave IP packets towards SiteB .

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by Derelict

          If you can ping the far side pfSense interface address but not the hosts behind it it is almost always a firewall on the target host itself (think windows firewall).

          That or their default gateway is not the pfSense firewall. Since traffic works the other way that pretty much rules that out.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.