Openvpn no access to opt1

sourcestorm

Hi all,

I have a question regarding openvpn and access to opt1.
Installed is PFSense 1.2.2 with
WAN (Dyn IP)
LAN (192.168.10.0/24
OPT1 (192.168.11.0/24).
I have configured the openvpn for road worriers with address pool 10.0.8.0/24 and for the local network 192.168.0.0/16. I took the B class network ! The VPN with PKI works fine but only for the lan network. I'm not able to have access to the opt1 network.
If I try the tracert command I can see following text.

tracert 192.168.10.1 (LAN Pfesense) there are no hops
tracert 192.168.11.1 (OPT1 Pfesene) the same result, but if i put tracert 192.168.11.2 (OPT1 printserver) i see the packets goes to 10.10.8.1 and this is the end of my packet.

What could be going wrong hier ? Does have anybody an idear ?

jimp

Instead of supernetting, have you tried pushing a specific route? Not sure if that would make a difference, but it may be worth a try.

Change your LAN subnet back to 192.168.10.0/24, and then try adding this to the custom options on the server config.

push "route 192.168.11.0 255.255.255.0";

I'm accessing three different subnets that way across my OpenVPN PKI setup and it works great.

If that doesn't help, then the problem is likely not an OpenVPN issue, but a more general networking issue (firewall rules on a PC, gateway issue, perhaps NAT, etc).

sourcestorm

Thanks for your answer.
I tried it but I have still the same problem.
I dissabled my windows firewall - nothing happens.

Can I set a gateway in the openvpn server ?

jimp

The gateway would be set on the client PCs on either end.

If your pfSense box that is doing the VPN is the router for both sides (default gw for all) then the gateway should be a non-issue.

Can you confirm with tcpdump that the ping is even getting to the pfSense box when you try to ping the opt1 net from the VPN client?

sourcestorm

If I capture the opt1 interface I get this frames:
18:55:37.800871 IP 10.0.8.6.1283 > 192.168.11.2.80: tcp 0
18:55:40.936246 IP 10.0.8.6.1283 > 192.168.11.2.80: tcp 0
18:55:46.998528 IP 10.0.8.6.1283 > 192.168.11.2.80: tcp 0

so the HTTP request comes to the opt1 interface, but how could I define rules for this traffic ?
On which Interface LAN, WAN, OPT1 I have to configure this rule ?

sourcestorm

Still one additional thing.
I have configured  Manual Outbound NAT rule generation (Advanced Outbound NAT (AON), othwise the OPT1 Users (Wireless)
didn't get access to the Wan. Since this moment I didn't able to get a ping to the OPT1 from the LAN, but if I make a HTTP request
It works from the LAN > OPT1

Only on the PFSense is installed the OVPN-Server. On the Client there is an OpenVpn Client from Mathias Sundman installed.

sourcestorm

If I do a Ping on the IP, I get this result

19:09:46.992455 IP 192.168.11.2.1900 > 239.255.255.250.1900: UDP, length 288
19:09:46.993236 IP 192.168.11.2.1900 > 239.255.255.250.1900: UDP, length 318
19:09:46.994153 arp who-has 10.0.8.6 (05:17:22:60:00:18) tell 192.168.11.2
19:09:52.818678 IP 10.0.8.6 > 192.168.11.2: ICMP echo request, id 512, seq 55296, length 40
19:09:57.948735 IP 10.0.8.6 > 192.168.11.2: ICMP echo request, id 512, seq 55552, length 40
19:09:57.949195 arp who-has 10.0.8.6 (05:17:22:60:00:18) tell 192.168.11.2

Hey, what means 239.255.255.250 ???? It is not an IP-Address of me

jimp

That  239.255.255.250.1900 entry is a upnp broadcast/multicast, nothing to worry about really.

It sounds like there may be an issue with how you have configured manual NAT. Can you post a screenshot of what your Outbound NAT rules tab looks like?

sourcestorm

We can close this issue.

Jimp you are right. The problem why the IP-Address 192.168.11.2 doesn't response my requests was the gateway.
I tried antother IP and I could see all things are working.

The Push command brings up the solution - THANKS !!!