Can ping server but not rest of network.



  • I am fairly new to openvpn, and have it configure to connect correctly but I can only ping the local address of the openvpn server and nothing else on the net.

    I have a linksys router with dd-wrt mini (it can not support the VPN firmware) is there a routing issue that needs to be addressed?

    Thanks.



  • Is it other VPN clients you are unable to ping?  IF so there is an option “Client-to-client VPN” that you need to tick in the Open VPN  configuration on the PFsense firewall to allow this.  If you’re referring to devices behind the firewall then check if your firewall rule allow any to any for the Open VPN port, otherwise it might cause this issue.

    Do you receive the route for the network in your routing table?  Type “route print” from a command prompt to check.  IF the IP address range of your network is the same as the one behind your firewall this could cause a problem.

    Hope that helps.



  • Hello (and sorry for my bad english, im french…)

    I have the same problem … See my OpenVPN server configuration :

    I’m on local network 10.187.91.0/22 and i create this VPN on this network. I have a local network 192.168.1.0/24, and I want to access to it with a VPN.

    With this configuration, I can ping my VPN Server with the address 192.168.1.254, but not the rest of this local network (192.168.1.245 for exemple…)

    This is my rules of my firewall :

    WAN : UDP  *          *  *  1194 (OpenVPN)  *
    LAN  : *          LAN net  *  *  *                          *

    So, it’s a problem …



  • Is the OpenVPN server the default gateway for the network behind it?



  • Heum… Yes, pfSense is the default gateway on 192.168.1.0/24 sub-network !



  • And on the remote client, when the link is up, what does “netstat -rn” show?



  • That …

    thibaut@PC-de-Thibaut:~$ netstat -rn
    Table de routage IP du noyau
    Destination     Passerelle      Genmask         Indic   MSS Fenêtre irtt Iface
    192.168.2.1     192.168.2.5     255.255.255.255 UGH       0 0          0 tun0
    192.168.2.5     0.0.0.0         255.255.255.255 UH        0 0          0 tun0
    172.16.119.0    0.0.0.0         255.255.255.0   U         0 0          0 vmnet1
    192.168.1.0     192.168.2.5     255.255.255.0   UG        0 0          0 tun0
    172.16.74.0     0.0.0.0         255.255.255.0   U         0 0          0 vmnet8
    10.187.88.0     0.0.0.0         255.255.252.0   U         0 0          0 eth0
    169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
    0.0.0.0         10.187.88.245   0.0.0.0         UG        0 0          0 eth0
    
    


  • Routing looks good.  Does the OpenVPN server end have another network that’s 192.168.1.x/24?



  • My pfSenseBox is in two network :
    WAN : 10.187.88.0/22 (address 10.187.88.9)
    LAN : 192.168.1.0/24 (address 10.187.88.254, it’s the gateway of the 192.168.1.0/24 subnet)

    So i think that the OpenVPN server is on the 192.168.1.0/24 network …



  • I can’t see an obvious problem.  I’d check things like firewall settings (on both ends), drop a packet sniffer in to see if the packets are making it through pfSense (ISTR that tcpdump is installed by default on pfSense) and check to see if you can ping from the 192.168.1.0/24 network to the 192.168.2.0/24 network.



  • Arf ….

    Ok thanks for your help ! A return to work on Monday, so see you soon !



  • Hello !

    So, i can ping 192.168.2.0/24 address from 192.168.1.0/24 subnet. But from 10.187.88.0/22, i ping 192.168.1.254 but not the rest of the 192.168.1.0/24 subnet 😞



  • I think a diagram is required to make that last post make sense.  You’re implying that you’re trying to ping from outside the pfSense host, on the WAN, to the LAN.



  • PC1 192.168.2.6 (tun0) –-------------- 10.187.88.8 (WAN) pfSense 192.168.1.254 (LAN) ------------------ 192.168.1.245 (LAN) PC2

    pfSense have also 192.168.2.5 for the VPN Server.

    ping from PC2 to PC1 work !
    ping from PC1 to PC2 doesn’t work !

    and i want to access to LAN since WAN with VPN server



  • Right, then look at the firewall settings on PC2.  You may find that it’s blocking ping requests.



  • thanks for your help

    But my firewall on PC2 is disable …

    I can see the request from 192.168.2.6 to 192.168.1.245 with tcpdump of pfSense, but not the reply.



  • Then your problem is with the host 192.168.1.245.  Check that it’s default gateway is correct, check to see that it’s receiving the packets, do all the basic troubleshooting steps on that host.



  • The problem doesn’t become on that host because there is the same problem with an other PC with an other IP address…

    thx for your help …



  • Well, start there.  If you’re seeing packets enter the LAN but not return to pfSense then something you’ve posted here is obviously wrong.  The three possibilities are:

    1. The hosts don’t use the pfSense host as their default gateway
    2. The static routes on the LAN clients are wrong
    3. They run firewalls

    Eliminate those one at a time, what’s left is the only possibility.



    1. The static routes on the LAN clients

    What’s that ?  ???



  • Static routes tell clients how to reach networks that are attached to something other than your default gateway.



  • I had this same problem, but when I added all my hosts that I wanted the VPN clients to be able to contact to the DNS Forwarder list, I was able to ping and connect to the LAN side from the VPN Client side, when i removed those entries…I also lost my connectivity to those LAN elements. Not sure why but it seem that the host you want to be able to access via the VPN have to be listed in the DNS Forwarder also. Bug? not sure, but adding them fixed my issue.



  • Hi and thanks for your help !

    I represent my configuration, because i’m not able to solve the probleme :

    VPN Server configuration file :

    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    server 192.168.2.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 192.168.1.0 255.255.255.0"
    lport 1194
    push "dhcp-option DISABLE-NBT"
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    persist-remote-ip
    float
    
    

    Client configuration file :

    
    client
    dev tun
    proto tcp
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /home/thibaut/ca.crt
    cert /home/thibaut/client1.crt
    key /home/thibaut/client1.key
    verb 3
    
    

    Client netstat -rn when it’s connect to vpn server :

    Destination     Passerelle      Genmask         Indic   MSS Fenêtre irtt Iface
    192.168.2.1     192.168.2.5     255.255.255.255 UGH       0 0          0 tun0
    192.168.2.5     0.0.0.0         255.255.255.255 UH        0 0          0 tun0
    172.16.119.0    0.0.0.0         255.255.255.0   U         0 0          0 vmnet1
    192.168.1.0     192.168.2.5     255.255.255.0   UG        0 0          0 tun0
    172.16.74.0     0.0.0.0         255.255.255.0   U         0 0          0 vmnet8
    10.187.88.0     0.0.0.0         255.255.252.0   U         0 0          0 eth0
    169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
    0.0.0.0         10.187.88.245   0.0.0.0         UG        0 0          0 eth0
    
    

    Ping a PC with address 192.168.1.144 (report with tcpdump in pfSense) :

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on le0, link-type EN10MB (Ethernet), capture size 96 bytes
    09:23:57.352592 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43
    09:23:57.725277 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 7, length 64
    09:23:58.723015 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 8, length 64
    09:23:59.408489 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43
    09:23:59.716733 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 9, length 64
    09:24:00.716003 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 10, length 64
    09:24:01.416434 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43
    09:24:01.709148 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 11, length 64
    ^C
    8 packets captured
    9 packets received by filter
    0 packets dropped by kernel
    
    

    ipconfig /all on my Windows PC which as 192.168.1.144 :

    Carte Ethernet Connexion réseau sans fil:
    
            Suffixe DNS propre à la connexion : valadon.lan
            Description . . . . . . . . . . . : NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter
            Adresse physique . . . . . . . . .: 00-1B-2F-42-AE-DB
            DHCP activé. . . . . . . . . . . : Oui
            Configuration automatique activée . . . . : Oui
            Adresse IP. . . . . . . . . . . . : 192.168.1.144
            Masque de sous-réseau . . . . . . : 255.255.255.0
            Passerelle par défaut . . . . . . : 192.168.1.254
            Serveur DHCP. . . . . . . . . . . : 192.168.1.254
            Serveurs DNS . . . . . . . . . .  : 192.168.1.254
            Serveur WINS principal. . . . . . : 10.187.88.4
            Bail obtenu . . . . . . . . . . . : mardi 5 mai 2009 09:03:38
            Bail expirant . . . . . . . . . . : mardi 5 mai 2009 11:03:38
    
    

    ifconfig on my linux client :

    ath0      Link encap:Ethernet  HWaddr 00:15:af:59:60:78  
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              Packets reçus:522 erreurs:0 :0 overruns:0 frame:0
              TX packets:366 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 lg file transmission:0 
              Octets reçus:191752 (187.2 KB) Octets transmis:52773 (51.5 KB)
    
    eth0      Link encap:Ethernet  HWaddr 00:1e:8c:28:4d:9c  
              inet adr:10.187.91.250  Bcast:10.187.91.255  Masque:255.255.252.0
              adr inet6: fe80::21e:8cff:fe28:4d9c/64 Scope:Lien
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Packets reçus:47532 erreurs:0 :0 overruns:0 frame:0
              TX packets:24031 errors:0 dropped:0 overruns:0 carrier:13
              collisions:0 lg file transmission:1000 
              Octets reçus:20305549 (19.3 MB) Octets transmis:0 (0.0 B)
              Mémoire:feac0000-feb00000 
    
    lo        Link encap:Boucle locale  
              inet adr:127.0.0.1  Masque:255.0.0.0
              adr inet6: ::1/128 Scope:Hôte
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              Packets reçus:3217 erreurs:0 :0 overruns:0 frame:0
              TX packets:3217 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 lg file transmission:0 
              Octets reçus:167880 (163.9 KB) Octets transmis:167880 (163.9 KB)
    
    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
              inet adr:192.168.2.6  P-t-P:192.168.2.5  Masque:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              Packets reçus:21 erreurs:0 :0 overruns:0 frame:0
              TX packets:389 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 lg file transmission:100 
              Octets reçus:1194 (1.1 KB) Octets transmis:32110 (31.3 KB)
    
    vmnet1    Link encap:Ethernet  HWaddr 00:50:56:c0:00:01  
              inet adr:172.16.119.1  Bcast:172.16.119.255  Masque:255.255.255.0
              adr inet6: fe80::250:56ff:fec0:1/64 Scope:Lien
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
              TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 lg file transmission:1000 
              Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)
    
    vmnet8    Link encap:Ethernet  HWaddr 00:50:56:c0:00:08  
              inet adr:172.16.74.1  Bcast:172.16.74.255  Masque:255.255.255.0
              adr inet6: fe80::250:56ff:fec0:8/64 Scope:Lien
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
              TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 lg file transmission:1000 
              Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)
    
    wifi0     Link encap:UNSPEC  HWaddr 00-15-AF-59-60-78-00-00-00-00-00-00-00-00-00-00  
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Packets reçus:57444 erreurs:0 :0 overruns:0 frame:3848
              TX packets:2361 errors:20 dropped:0 overruns:0 carrier:0
              collisions:0 lg file transmission:280 
              Octets reçus:6565866 (6.2 MB) Octets transmis:152379 (148.8 KB)
    
    

    ifconfig on my pfSenseBox :

    le0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=8 <vlan_mtu>ether 00:0c:29:c2:6b:1e
    	inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
    	inet6 fe80::20c:29ff:fec2:6b1e%le0 prefixlen 64 scopeid 0x1 
    	media: Ethernet autoselect
    	status: active
    le1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=8 <vlan_mtu>ether 00:0c:29:c2:6b:28
    	inet 10.187.88.9 netmask 0xfffffc00 broadcast 10.187.91.255
    	inet6 fe80::20c:29ff:fec2:6b28%le1 prefixlen 64 scopeid 0x2 
    	media: Ethernet autoselect
    	status: active
    plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500
    pflog0: flags=100 <promisc>metric 0 mtu 33204
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    	inet 127.0.0.1 netmask 0xff000000 
    	inet6 ::1 prefixlen 128 
    	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
    enc0: flags=0<> metric 0 mtu 1536
    pfsync0: flags=41 <up,running>metric 0 mtu 1460
    	pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
    tun0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
    	inet6 fe80::20c:29ff:fec2:6b1e%tun0 prefixlen 64 scopeid 0x8 
    	inet 192.168.2.1 --> 192.168.2.2 netmask 0xffffffff 
    	Opened by PID 2478</up,pointopoint,running,multicast></up,running></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast,needsgiant></vlan_mtu></up,broadcast,running,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast> 
    

    So with this configuration, i’m not able to ping 192.168.1.144 since 192.168.2.6 …



  • On the Windows PC, what does netstat -rn show?

    I’ll say it again - if you’re not seeing packets back into the pfSense host from the Windows host then the problem is not with OpenVPN, or the remote client.  The problem is entirely in your local network and almost certainly on the Windows host.



  • result of the netstat -rn on Windows PC :

    Table de routage
    ===========================================================================
    Liste d'Interfaces
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 15 c5 a5 3e 96 ...... Broadcom 440x 10/100 Integrated Controller - Min
    iport d'ordonnancement de paquets
    0x20004 ...00 1b 2f 42 ae db ...... NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adap
    ter - Miniport d'ordonnancement de paquets
    ===========================================================================
    ===========================================================================
    Itinéraires actifs :
    Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
              0.0.0.0          0.0.0.0    192.168.1.254   192.168.1.144       25
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
          192.168.1.0    255.255.255.0    192.168.1.144   192.168.1.144       25
        192.168.1.144  255.255.255.255        127.0.0.1       127.0.0.1       25
        192.168.1.255  255.255.255.255    192.168.1.144   192.168.1.144       25
            224.0.0.0        240.0.0.0    192.168.1.144   192.168.1.144       25
      255.255.255.255  255.255.255.255    192.168.1.144               2       1
      255.255.255.255  255.255.255.255    192.168.1.144   192.168.1.144       1
    Passerelle par défaut :     192.168.1.254
    ===========================================================================
    Itinéraires persistants :
      Aucun
    


  • So, you have the correct default gateway.

    This means that the probability is that you still have the firewall running.  Trying pinging the Windows host from the pfSense host.



  • When i ping the Windows Host with pfSense, it replies …  😞



  • Then it’s time to install Wireshark on the Windows host and do a packet capture there.



  • YES it works !

    I find my mistake : the captive portal was enable in LAN, so the host (which were not authenticate) can’t reply to my client…

    Very thanks for your help and for your patience !



  • Happy to help somebody who’s willing to listen 😉


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy