I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network



  • Hi there.

    I'm trying to access to a switch that is connected in LAN2, but I cannot access to it. I can see devices in LAN, ping answers in both ways (my device <=> device in LAN), I can see pfsense LAN IPs, ping my device <=> pfsense LAN | ping my device <=> pfsense LAN2. The only thing that it doesn't work is to ping my device <=> switch in LAN2.

    How is this possible?

    This is my OpenVPN server configuration in pfSense:

    Interface: Localhost
    Port: 1194
    IPv4 Remote network: 110.50.85.0/24
    IPv4 Local Network: 192.168.0.0/24,10.0.0.0/24

    NAT configuration:

    Interface: WAN1
    Port: 1194
    Source: any
    Destination: WAN1
    Redirection: Localhost

    Interface: WAN2
    Port: 1194
    Source: any
    Destination: WAN2
    Redirection: Localhost

    Firewall rules for OpenVPN, LAN network and LAN2 network:

    <Default pass "everything" rule>

    Firewall rules for WAN1/WAN2:

    Pass from any source to localhost in port 1194

    What I can do when I connect my computer through OpenVPN client to pfSense OpenVPN Server:

    MD = My Device/My computer

    • I can ping from MD to pfSense LAN IP (192.168.0.1)
    • I can ping from MD to device in LAN (192.168.0.123)
    • I can ping from MD to pfSense LAN2 IP (10.0.0.1)
    • I can ping from pfSense LAN IP to MD (110.50.85.2)
    • I can ping from pfSense LAN2 IP to MD (110.50.85.2)
    • I can ping from device in LAN to MD (110.50.85.2)
    • I can ping from pfSense LAN2 IP to Switch (10.0.0.90)

    What I CANNOT do:

    • I cannot ping from MD to Switch in LAN2 (10.0.0.90)

    I've been testing with packet capture and I can see that my device tries to ping to the switch IP, so packets are being sent and registered in the system. I cannot see any logs in System Logs > Firewall about blocking, passing or rejecting anything from my device IP to switch IP.

    The problem here is that I cannot ping from switch to test if it can see my device.

    Any suggestion?

    Br,
    D.



  • Has the switch a gateway option?
    Is the gateway set to pfSense LAN2 address?
    Does the switch respond to pings from LAN?



  • @viragomann

    Has the switch a gateway option?

    I think it has, but it is not configured.

    Is the gateway set to pfSense LAN2 address?

    I tried setting the gateway in pfSense LAN2 address, but it doesn't work and it seems "useless" to me, as per LAN address does not have a gateway and it works as expected. Even though, I have a similar configuration in another customer and I have no problem accessing both networks with same configuration like here.

    Does the switch respond to pings from LAN?

    With a device with LAN IP, does not answer. If I setup a device with a fixed IP, it does.

    Devices in LAN (e.g.: 192.168.0.123) are connected to the switch, so if I manually add a secondary IP (e.g.: 10.0.0.123), the switch responds to ping.

    The LAN in pfSense is connected to the switch to offer DHCP, but I setup a secondary network (LAN2) and connected it to switch to allow connection from OpenVPN to that switch using "IPv4 Local Network" option.

    Maybe a bad config setup? Is there a way that I can access from within LAN to IP 10.0.0.X using OpenVPN instead of using the configured LAN2?



  • @Daglimioux said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    I think it has, but it is not configured.

    Without a gateway any device can only communicate with other devices in its local subnet. The gateway tells it how to get out of its subnet, so the switch must have a gateway in order to be able to reply.



  • @Daglimioux said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    I tried setting the gateway in pfSense LAN2 address, but it doesn't work and it seems "useless" to me, as per LAN address

    He is referring to have you set the switch gateway to the LAN2 interface IP address. The gateway option in pfSense for LAN2 doesn't apply here.



  • @Daglimioux said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    Maybe a bad config setup? Is there a way that I can access from within LAN to IP 10.0.0.X using OpenVPN instead of using the configured LAN2?

    No. But pfSense offer a better solution:
    Go to Firewall > NAT > outbound. If it is working in automatic mode, switch to hybrid mode and save it.
    Then add a rule:
    interface: LAN2
    source: any
    destination: 10.0.0.90 (IP of the non responding device)
    translation address: interface address

    That rule translates the source address in packets destined to the <destination> to the pfSense LAN2 address. So for the destination device, requests seem to come from its own subnet and it will send responses back to pfSense where the destination address in packets get translated back to the origin source address.

    This way the switch should be accessible from the vpn client.



  • @viragomann said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    No. But pfSense offer a better solution:
    Go to Firewall > NAT > outbound. If it is working in automatic mode, switch to hybrid mode and save it.
    Then add a rule:
    interface: LAN2
    source: any
    destination: 10.0.0.90 (IP of the non responding device)
    translation address: interface address

    That rule translates the source address in packets destined to the <destination> to the pfSense LAN2 address. So for the destination device, requests seem to come from its own subnet and it will send responses back to pfSense where the destination address in packets get translated back to the origin source address.

    This way the switch should be accessible from the vpn client.

    Works like a charm!! Thank you so much!! :D

    Btw, let me just point that in destination you can only setup the destination network and not the destination IP, so the destination config must be:

    destination: 10.0.0.0/24

    Just in case someone finds this helpful.

    A side note, just to be sure. I have both LAN (LAN = 192.168.0.1 and LAN2 = 10.0.0.1) connected to the switch (10.0.0.90). Is there a way to access to the switch using "interface: LAN" instead of using "interface: LAN2" and keep being accessible from OpenVPN? The idea of having 2 ethernet cables connected to the switch sounds weird to me.


    @conor said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    I think it has, but it is not configured.

    Without a gateway any device can only communicate with other devices in its local subnet. The gateway tells it how to get out of its subnet, so the switch must have a gateway in order to be able to reply.

    Probably you are right, I never tested pinging devices without gateway (test for the future of learning myself :P).

    @conor said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    I tried setting the gateway in pfSense LAN2 address, but it doesn't work and it seems "useless" to me, as per LAN address

    He is referring to have you set the switch gateway to the LAN2 interface IP address. The gateway option in pfSense for LAN2 doesn't apply here.

    Ah! okay. I did not understand it. Well, we did not set the gateway just to be cautious with possible automatic firmware updates or external unhandled connections, but the way @viragomann mentioned works perfectly and we don't need to set the LAN2 address to switch gateway.



  • @Daglimioux said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    A side note, just to be sure. I have both LAN (LAN = 192.168.0.1 and LAN2 = 10.0.0.1) connected to the switch (10.0.0.90). Is there a way to access to the switch using "interface: LAN" instead of using "interface: LAN2" and keep being accessible from OpenVPN? The idea of having 2 ethernet cables connected to the switch sounds weird to me.

    Yes, but from a troubleshooting point of view might not be worth it.
    Backup your config
    Delete LAN2 interface and the outbound nat rule.
    Goto Firewall > Virtual IPs and add 10.0.0.1 as an IP alias on the LAN interface.
    Goto Firewall > NAT > Outbound NAT, and add a rule to NAT using the new IP alias for devices in the 10.0.0.0/24 subnet.
    Goto Firewall > Rules -- You will need to add a rule here for the 10.0.0.0/24 subnet on the LAN interface.
    Similar to above just using a virtual IP rather than a interface's IP address.

    Personally if you can spare the port use a separate port, the next person in to support it after you will understand how its set up probably quicker than using virtual IPs. But thats totally your call.



  • @Daglimioux said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    way @viragomann mentioned works perfectly and we don't need to set the LAN2 address to switch gateway.

    Just to elaborate on this approach. Yes it will work so long as you are connecting to it. You would need to set a gateway if at some point you wanted the switch to send port down emails or other information that would be leaving the local subnet.



  • @Daglimioux said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    Btw, let me just point that in destination you can only setup the destination network and not the destination IP, so the destination config must be:
    destination: 10.0.0.0/24

    You may set the mask to /32 as well, so the rule is applied to one IP only.
    E.g. 10.0.0.90/32

    @Daglimioux said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    A side note, just to be sure. I have both LAN (LAN = 192.168.0.1 and LAN2 = 10.0.0.1) connected to the switch (10.0.0.90). Is there a way to access to the switch using "interface: LAN" instead of using "interface: LAN2" and keep being accessible from OpenVPN?

    If you haven't separated the switch ports by VLAN configuration, it sholud also be accessible from the LAN IP.
    But why want you do that?

    Having to differnt networks on a single switch without VLAN or on only one interface is not very save, anyhow.

    @Daglimioux said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    Well, we did not set the gateway just to be cautious with possible automatic firmware updates or external unhandled connections, but the way @viragomann mentioned works perfectly and we don't need to set the LAN2 address to switch gateway.

    It's recommended and more save to control access to or from devices by firewall rules instead of NAT.



  • @viragomann said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    @Daglimioux said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    A side note, just to be sure. I have both LAN (LAN = 192.168.0.1 and LAN2 = 10.0.0.1) connected to the switch (10.0.0.90). Is there a way to access to the switch using "interface: LAN" instead of using "interface: LAN2" and keep being accessible from OpenVPN?

    If you haven't separated the switch ports by VLAN configuration, it sholud also be accessible from the LAN IP.
    But why want you do that?

    Having to differnt networks on a single switch without VLAN or on only one interface is not very save, anyhow.

    This is more complicated. In fact, I'm only managing pfSense remotely (our company installed it and configured it), but they have a "responsible person" to manage the daily tasks on switches and pfSense. Another member of the company has installed the switches and configured them. I cannot change the VLAN configuration to securize it better. The responsible is connected to those switches, as any other device in the network, and has an IP static address of 10.0.0.X/24 in addition to the LAN IP address 192.168.0.X/24 to access the switches when required (mostly to reset blocked switches). I know it is not safe at all, but I'm just here to configure the pfSense, I will leave the rest to the responsibles 😓 😓

    An aside question, will conflict if I have LAN2 address 10.0.0.1 with a netmask 255.0.0.0 and my OpenVPN private network to 10.20.30.X/24?



  • @Daglimioux said in I cannot ping to device in secondary network using pfSense OpenVPN server, but I can in primary network:

    will conflict if I have LAN2 address 10.0.0.1 with a netmask 255.0.0.0 and my OpenVPN private network to 10.20.30.X/24?

    That is to be assumed. This way the OpenVPN is part of the LAN2 network, so there will be no routing possible between these networks.


Log in to reply