OpenVPN - connected; can ping FW; no lan access

franco.g

Hi

I have OVPN setup - which connects successfully. I can't ping/access local network, only the FW. I have tried various tut's, and forum advice. I really would appreciate help form here. For any additional info needed to resolve - please let me know.

Thank you

Screenshot 2019-11-06 at 13.17.01.png
Screenshot 2019-11-06 at 13.18.35.png Screenshot 2019-11-06 at 13.19.29.png Screenshot 2019-11-06 at 13.20.10.png Screenshot 2019-11-06 at 13.21.14.png Screenshot 2019-11-06 at 13.22.01.png

Additional info that might help from the logs:

Nov 6 13:27:01 openvpn 43151 192.168.12.130:59857 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Nov 6 13:27:01 openvpn 43151 192.168.12.130:59857 [user.name] Peer Connection Initiated with [AF_INET]192.168.12.130:59857
Nov 6 13:27:01 openvpn 43151 user.name/192.168.12.130:59857 MULTI_sva: pool returned IPv4=192.168.20.2, IPv6=(Not enabled)
Nov 6 13:27:01 openvpn 43151 user.name/192.168.12.130:59857 MULTI: Learn: 192.168.20.2 -> user.name/192.168.12.130:59857
Nov 6 13:27:01 openvpn 43151 user.name/192.168.12.130:59857 MULTI: primary virtual IP for user.name/192.168.12.130:59857: 192.168.20.2
Nov 6 13:27:01 openvpn 43151 user.name/192.168.12.130:59857 PUSH: Received control message: 'PUSH_REQUEST'
Nov 6 13:27:01 openvpn 43151 user.name/192.168.12.130:59857 SENT CONTROL [user.name]: 'PUSH_REPLY,route 192.168.12.0 255.255.252.0,route-gateway 192.168.20.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.20.2 255.255.252.0,peer-id 0,cipher AES-256-CBC' (status=1)
Nov 6 13:27:01 openvpn 43151 user.name/192.168.12.130:59857 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:406 ET:0 EL:3 ]
Nov 6 13:27:01 openvpn 43151 user.name/192.168.12.130:59857 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 6 13:27:01 openvpn 43151 user.name/192.168.12.130:59857 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Nov 6 13:27:01 openvpn 43151 user.name/192.168.12.130:59857 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 6 13:27:01 openvpn 43151 user.name/192.168.12.130:59857 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Nov 6 13:27:08 openvpn 43151 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Nov 6 13:27:08 openvpn 43151 MANAGEMENT: CMD 'status 2'
Nov 6 13:27:08 openvpn 43151 MANAGEMENT: CMD 'quit'
Nov 6 13:27:08 openvpn 43151 MANAGEMENT: Client disconnected

viragomann

Is pfSense the default gateway in your LAN?

Have you add a firewall pass rule to the OpenVPN interface to allow access?

Do your LAN hosts response to requests from outside their own subnet?
You may check that on pfSense. Go to Diagnostic > Ping. Try a ping to a LAN device with default settings, then change to source IP to OpenVPN and try again.

franco.g

HI vira...

Thanks for getting back too me. Please view below:

I saw that I can't ping it form localhost either.

Yes - pfsense is local gateway on LAN
Screenshots for ping requests, and config.

Screenshot 2019-11-06 at 14.00.16.png

Screenshot 2019-11-06 at 14.01.13.png

Screenshot 2019-11-06 at 14.02.32.png

NogBadTheBad

franco.g

@NogBadTheBad
Yes, we are. It's just for testing and migration purposes. We are replacing 2 old GTA firewalls with pFsense; since the company(GTA) closed down, and there no longer is any support. I did a past setup at a previous employer with pFsense, and OVPN, and some other services which was flawless.

viragomann

@franco-g
And what's about the gateway question?

franco.g

@viragomann
Yes, pFsense is the one, and only gateway on the LAN. Currently this is a stand-alone device on a "lab" environment with one pc connected to the network.

viragomann

So your LAN device doesn't respond if access comes from outside. Check its firewall.

franco.g

@viragomann

I feel like such an idiot. The following rules on the windows machine firewall was disabled: Domain netw; Private netw - but guest/public netw was still enabled. Will remember to put correct parameters in place for the machines.

One question - is it acceptable that I can't ping the device from localhost on pFsense?

johnpoz

@franco-g said in OpenVPN - connected; can ping FW; no lan access:

is it acceptable that I can't ping the device from localhost on pFsense?

Huh? Your trying to ping using the ping gui menu, and selecting localhost as the source? Why would you think that would ping.. You do not nat to the internal networks.. So no it wouldn't work - just use the automatic setting or select the interface for the network the device your trying to ping is on.

viragomann

@franco-g said in OpenVPN - connected; can ping FW; no lan access:

One question - is it acceptable that I can't ping the device from localhost on pFsense?

That's the default behaviour.
localhost is the device itself. So if you select localhost as source the device may respond, but the respond goes to itself and not back to pfSense.

franco.g

@johnpoz
Had a moment of weakness. Confused it with pinging TO localhost in terminal. Rookie booboo like we all do at times.