Openvpn site to site Problem



  • Both Pfsense box have public ip on wan ( bridged fiber modem)
    Pfsense box A: Server 192.168.1.1
    Pfsense box B: client 192.168.2.1
    vpn tun 10.0.10.0/24
    Manual outbound Nat is active

    I have a problem so is probably a easy fix, but i can't find how to fix the problem. i have set up a site to site openvpn connection (peer to peer) between to physical sites so looks to be up and working. i can ping each of the Pfsense box from site A and B + i can ping all the pc/servers so are on A net (192.168.1.0/24) from B net (192.168.2.0/24), but i can't ping any pc/servers on the lan net (192.168.2.0/24) from site A (192.168.1.0/24), whit out the pfsens box on ip 192.168.2.1

    0_1552770765250_e4b49b4a-8ba5-49ee-95ae-35a3ec87ca52-image.png

    I can ping from a and b site to the internet

    Firewall rules Site B

    0_1552769299551_70097a29-504e-4cf8-bebd-8d2f900a2e42-image.png

    0_1552769338953_2c9e1548-e02b-4c39-b8cc-30808f69b3c7-image.png

    The problem i think is with the Pfsense box B as if i try to ping a pc from pfsense B i get no ping, it looks like PFsense at b site cant see any pc on its lan network. I can ping Pfsense b from 192.168.2.154 but not the other way.

    0_1552769657474_19c941c4-8616-4a51-bfa0-cd5a1758eebb-image.png

    Can it be the outbound nat so have a problem so do as Pfsense site B cant ping anything on its lan?

    0_1552771030808_d0544617-4fea-4b9c-b1e3-0e77f6171874-image.png


  • LAYER 8 Rebel Alliance

    You don't need to add any Manual Outbound NAT for OpenVPN!
    Better switch back to Automatic.

    -Rico



  • Much like Rico mentioned, if you have access to both PFsense boxes then you don't need NAT for site-to-site connectivity.

    Post the server1.conf from the server-side and the client1.conf from the client-side.



  • Hi and thanks for the replay
    Reason for the Manual nat/was as for at main site it is needed for getting the right clients and servers over the proper vpns and vlans, atm you are right it is not needed for the basic setup so is at the offsite. (old habits setting it to manual)

    Turned back to Auto outbound nat and restarted the pfsense box but i still can not ping clients on lan site from the Pfsense box site at site B (192.168.2.1) to any clients at 192.168.2.0/24. It still looks like the pfsense boc dont see clients on the lan adapter.

    From site B i can ping other clients and the pfsense box but not from the box and to the lan so i gues her the problem is.

    0_1552820235111_eef9abd4-ab78-43d3-8b21-538da89f0e6a-image.png

    0_1552819515857_912b0d17-0df1-4b5c-ba80-1cfa38d60c09-image.png

    This is a box so was used earlier as the main firewall so was reset, can there be some old config so has not been proper reset?

    is a reinstall of the system a good idea ? as for me i cant see why the pfsens box can not ping any clients on its lan adapter.

    there are 3 vpn servers and one vpn clinet from main Pfsens box , but that shall not have impact on the new offsite pfsens box.



  • For testing i did reinstalled pfsense and changed lan ip to 192.168.2.1 and conencted it to a switch and one pc. And still it can not ping clinets on the lan network from the pfsens box but the pc can ping the pfsens box. when pfsens is fresh installed it shall be able to ping clinets on lan net ?
    can it be a broken network card ?



  • Update: I did find the problems now it is working all fine between the sites

    A wifi router (new) so did not work properly and did give packet loos allot and hige ping + one of the pc i try ping so was wired did for some reason block ping from pfsense box but not from other pc on the Lan. ( turned off firewall and ping did work "strange")

    Second problem was i was using the same subnet 192.168.3.0/24 so was already in use at the main site.

    Anyway thanks for the inputs



  • @vidarne77 said in Openvpn site to site Problem:

    Reason for the Manual nat/was as for at main site it is needed for getting the right clients and servers over the proper vpns and vlans, atm you are right it is not needed for the basic setup so is at the offsite. (old habits setting it to manual)

    Glad it's working. Although just to throw it out there again, if you have access to both firewalls you don't need any NAT's for communication. All you need is routing and the firewall rules to allow the traffic. If you needed to add NAT's to get traffic flowing that tells me there are routes missing.

    By NATing, you lose granular auditing functionality, which may or may not be a concern for you. Personally, I always like to know exactly what is connecting to what.

    If you post your configs, we can offer more targeted info.


Log in to reply