OpenVPN between pfSense and Ubiquiti EdgeRouter X
I'm trying to connect an Ubiquiti Edge Router X to my pfSense. I want to use OpenVPN. Here is my configuration:
Local network: 192.168.10.0/24
dev tun persist-tun persist-key cipher AES-256-CBC auth SHA512 client resolv-retry infinite remote XXX.XXX.XXX.XXX 1194 udp lport 0 verify-x509-name "C=XX, ST=XX, L=XXXXXXXX, O= XXXXXXXX, emailAddressfirstname.lastname@example.org, CN=XXXXXX" subject remote-cert-tls server comp-lzo adaptive pkcs12 /config/openvpn/XXXXXXXXXXXXXXXXXX.p12
The tunnel is online. I can ping from the Ubiquiti EdgeRouter network the pfSense ip address.
What doesn't work, is the way back. How can I connect from the pfSense network (192.168.10.0/24) to the EdgeRouter network (192.168.20.0/24).
I am grateful for any help!
Have you modified the default LAN "allow any" rule? If so, please include screen shots of the firewall configuration.
If not, its possible the issue is on the ubiquiti side. You can confirm by performing a packet capture on the OVPN interface on pfsense and looking for outbound ICMP packets to your ubiquiti network.
Edit: you've entered a static route for this network on PFSense side, correct?
No, I didn't change the LAN "allow any" rule.
Here is the output from the packet capture:
09:56:43.328526 IP 10.10.10.1 > 192.168.20.1: ICMP echo request, id 49185, seq 0, length 64 09:56:44.395256 IP 10.10.10.1 > 192.168.20.1: ICMP echo request, id 49185, seq 1, length 64 09:56:45.435837 IP 10.10.10.1 > 192.168.20.1: ICMP echo request, id 49185, seq 2, length 64
I put this line in my pfSense VPN Server configuration:
route 192.168.20.0 255.255.255.0;
Any suggestions? Or is the problem on Ubiquiti side?
Issue is on the Ubiquiti side, and could be a missing route or a firewall rule / ACL missing.
Ping from Ubiquiti -> PFsense works
Ping from PFS -> Ubiquiti does not show return traffic.
Can you ping anything behind the ubiquiti?
No I also cannot ping something behind the Ubiquiti. It's the same here:
10:56:42.316339 IP 10.10.10.1 > 192.168.20.38: ICMP echo request, id 33924, seq 0, length 64 10:56:43.348849 IP 10.10.10.1 > 192.168.20.38: ICMP echo request, id 33924, seq 1, length 64 10:56:44.366996 IP 10.10.10.1 > 192.168.20.38: ICMP echo request, id 33924, seq 2, length 64
So you think it's the firewall of the Ubiquiti? Are you familiar with firewall rules on the EdgeRouter? I don't know which rule is needed.
the Ubiquiti? Are you familiar with firewall rules on the EdgeRouter? I don't know which rule is needed.
I'm not familiar with how to set firewall rules on an ubiquiti edge router.
The rule youre going to need though is to allow the pfsense lan subnet to talk to the ubiquiti subnet. I'd also ensure NAT is NOT enabled for either side, so you can see the subnet IP's. This isnt a need as much as its a nice to have in case you ever need to figure out which specific client on one of those is misbehaving.