VPN Interface can't ping LAN interface hosts



  • So I am trying to gain access to a host that is connected on the LAN from my openvpn interface but the vpn client when connected, can not ping the lan host (10.9.0.2) but can ping the gateway of 10.10.0.1. The pfsense can ping the lan host 10.9.0.2 directly through the pfsense shell. I thought about adding a bridge between the two interfaces (didn't work) and was not recommended after further research. Than I pushed out a route push "route 10.9.0.1 255.255.0.0" on the vpn server but that didn't work either. Looked at the firewall rules, and I enabled all to go through the vpn interface. It might be a firewall rule on the LAN side? but not sure what type of rule I would need to allow from one interface to another? Any help is greatly appreciated.

    Pfsense Model - 2.4.4

    interfaces:
    LAN Interface- 10.9.0.1\16
    -Host is 10.9.0.2
    -Gateway 10.9.0.1
    VPN interface - 10.10.0.1\16
    -Host 10.10.0.8
    -Gateway 10.10.0.1

    Update
    Added a firewall rule on both interfaces to allow the vpn to LAN addresses. - Still not working.



  • @w0lverine said in VPN Interface can't ping LAN interface hosts:

    Than I pushed out a route push "route 10.9.0.1 255.255.0.0" on the vpn server but that didn't work either.

    Instead of that use the "Local Network/s" box. Type in

    10.9.0.0/16
    

    @w0lverine said in VPN Interface can't ping LAN interface hosts:

    It might be a firewall rule on the LAN side?

    No.
    You have to set a rule to the OpenVPN interface to allow access from VPN clients.

    @w0lverine said in VPN Interface can't ping LAN interface hosts:

    VPN interface - 10.10.0.1\16

    So you're awaiting more than 250 VPN user on that server?

    For testing use Diagnostice > Ping. Try a ping to your LAN host with default source and then change the source to OpenVPN.
    What are you getting?

    If you don't get a response from OpenVPN ensure that your host doesn't block access from IPs outside of its subnet.



  • @viragomann Thanks for the help.
    First I can now ping the 10.9.0.1 gateway but still can not ping the 10.9.0.2 host

    1. I added a route to the openvpn server push "route 10.9.0.0/16"

    2. I have added a new rule in the vpn interface but no luck.

    3. Good catch, I'll change that once I resolve this issue. And I used the ping in pfsense and can ping 10.9.0.2.

    See attached screenshots of each of the interface firewall rules.
    opt1vpn interface.png Openvpn interface.png LAN interface.png



  • @w0lverine said in VPN Interface can't ping LAN interface hosts:

    And I used the ping in pfsense and can ping 10.9.0.2

    I asked to try the ping in two ways to investigate the issue. One time with default and second with OpenVPN sever as source. Are the pings successful in both methods?



  • @viragomann Pinging my host from the LAN side pings the gateways but not my host... So there is my issue. The lan can't ping my host hence the host can't ping the LAN.... So why can't it...mmm. Looking more into it.



  • Okay, I am stuck. Not sure what is going on. Maybe its on the hosts side?



  • Maybe the host blocks access from outside its own subnet. That is the default behaviour of system firewalls.
    I already told you a way, how to investigate that.


  • LAYER 8

    what i can see from your VPNOPT1 screenshot is that states is 0/0
    no traffic is going there
    i suspect a routing problem even if your rules are a mess :)
    try a traceroute and/or use packet capture to see what's happening



  • @kiokoman said in VPN Interface can't ping LAN interface hosts:

    what i can see from your VPNOPT1 screenshot is that states is 0/0
    no traffic is going there

    The traffic does match the rule on the OpenVPN interface, since there is a rule defined allowing any. So the rules on the VPNOPT1 tab aren't applied.
    See: Rule processing order in the docs.


  • LAYER 8

    i'm pretty sure that i know how rules are processed, but
    he did't clarify or i'm not understanding what interface he is using
    i will leave this to you then



  • @w0lverine , Estoy teniendo exactamente el mismo problema aun que tengo algunas diferencias en mi Topologia el incidente es el mismo.

    Apunto a que puede ser un bug de la version de pfsense 2.4.4p3, esto lo digo por que tengo otro cliente con un pfSense 2.4.4p2 y 2 sucursales Site-To-Site funcionando OK.

    Espero lleguemos pronto a una Solucion, llevo 3 dias buscando, haciendo prueba y nada. Cualquier avance estare informando les dejo el link a mi post.

    VPN SiteToSite con OpenVPN, problema para conectar a LAN detrás del túnel



  • @kiokoman
    "OpenVPN" is an interface group containing all OpenVPN instances running there, no matter if an instance has an interface assigned or not. So rules on this tab are processed first. Therefor you should delete all rules on the OpenVPN tab if you assign an interface to an OpenVPN instance and add rules to it or restrict the OpenVPN rules' source (if you're running multiple VPN instances) so that they're not applied to connections which you want ti control on the specific VPN interface.



  • @viragomann That is exactly what is happening. But how do I fix that? I thought about adding a rule from the openvpn interface and vpnopt1 to allow traffic to flow from one interface to the LAN and back. But as @kiokoman pointed out, I am not even getting traffic to hit those rules. So I am guessing my firewall rules are wrong?

    Update:
    Reviewing my rules - I need to create a net rule from the LAN to VPNOPT1 and vice versa.
    VPNOPT interface:
    Screen Shot 2019-09-30 at 3.44.26 PM.png
    LAN Interface:
    Screen Shot 2019-09-30 at 3.44.09 PM.png

    But no traffic is getting through and I am not sure why.



  • That means, since you have a rule on the top of the OpenVPN interface group which allows any to any, this rule will be processed on any traffic arriving on any OpenVPN interface, while rules you have defined on the VPNOPT1 will never hit.
    That is only the explanation why you see no traffic on the VPNOPT1 rules. But that is not the problem here.

    I asked you twice:
    @viragomann said in VPN Interface can't ping LAN interface hosts:

    @w0lverine said in VPN Interface can't ping LAN interface hosts:

    And I used the ping in pfsense and can ping 10.9.0.2

    I asked to try the ping in two ways to investigate the issue. One time with default and second with OpenVPN sever as source. Are the pings successful in both methods?

    ..but didn't get a satisfying answer. I have to know, what exactly happens in one case and what in the other one.

    I also told you to do

    @viragomann said in VPN Interface can't ping LAN interface hosts:

    @w0lverine said in VPN Interface can't ping LAN interface hosts:

    Than I pushed out a route push "route 10.9.0.1 255.255.0.0" on the vpn server but that didn't work either.

    Instead of that use the "Local Network/s" box. Type in
    10.9.0.0/16

    but you still go on

    @w0lverine said in VPN Interface can't ping LAN interface hosts:

    I added a route to the openvpn server push "route 10.9.0.0/16"

    So since you're not doing what I advised and give feedback, I'm not able to help.



  • @viragomann Excuse me, you don't have to be rude. I was actually not surprised you said what you said based on your previous comment. There is a difference between being direct and being rude. Learn to Master it.

    But on to the question.

    @w0lverine said in VPN Interface can't ping LAN interface hosts:

    @viragomann Thanks for the help.
    First I can now ping the 10.9.0.1 gateway but still can not ping the 10.9.0.2 host

    1. I added a route to the openvpn server push "route 10.9.0.0/16"

    So there is some miscommunication going on here. It was my misunderstanding I need to replace push "route 10.9.0.1 255.255.0.0" with push route 10.9.0.0/16 but looking more carefully, you meant there is a section in the server to add just 10.9.0.0/16 in. Which currently I have 10.10.0.0./16 in. Is this the same section you are referring to?

    Screen Shot 2019-10-01 at 10.27.16 AM.png
    As for using ping in the diagnostics section my response:

    @w0lverine said in VPN Interface can't ping LAN interface hosts:

    @viragomann Pinging my host from the LAN side pings the gateways but not my host... So there is my issue. The lan can't ping my host hence the host can't ping the LAN.... So why can't it...mmm. Looking more into it.

    To clarify I did more than just above:
    One time with default - Successful ping
    Openvpn as source - Failed ping



  • I don't get rude, I stated that I not able to help, if I don't get answers to my questions and you don't heed my advice.

    @w0lverine said in VPN Interface can't ping LAN interface hosts:

    I need to replace push "route 10.9.0.1 255.255.0.0"

    That option is handled by the "IPv4 Local network(s)" section in the GUI. However, that option is only visible if "Redirect IPv4 Gateway" is not ticked.
    Having that ticked and add a push route command into the custom options may end up in an odd behaviour.

    @w0lverine said in VPN Interface can't ping LAN interface hosts:

    To clarify I did more than just above:
    One time with default - Successful ping
    Openvpn as source - Failed ping

    If that is the case, there are two possible reasons:

    • The pfSense is not the default gateway on the host.
    • The host blocks access from outside its own subnet. If that's the case you have to solve it on the host.

Log in to reply