Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to ping LAN hosts after connecting to VPN

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 4 Posters 610 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by

      And all of those blocked would seem to be out of state, see the A in the flags.. And even more than that all but one of them have the FIN flag, so they are FIN,ACK - meaning close this connection.

      And they seem to be all to the same IP and port, so duplicate packets most likely anyway..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      1 Reply Last reply Reply Quote 0
      • S Offline
        sherrellbc
        last edited by sherrellbc

        I wasn't aware those were flags. The column is labeled only as "Protocol". What can you infer from this?

        The VPN has only a single client at the moment, which is me on another computer testing things out. On that client I am trying to ping LAN hosts or connect to a LAN share. The connections on the client are timing out, so it continues to try indefinitely.

        Also, to further clarify, I can access the internet from the VPN as well. So rules back to to the WAN also work. It just seems that rules into the LAN are blocked. But the fact that I can see the VPN clients from the LAN is strange. Wouldn't the ICMP responses from the VPN client be blocked from being sent back into the LAN?

        DerelictD 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          Without full understanding of your paths, hard to say exactly why your seeing them.

          But the little i right on the firewall log shows you what they are
          tcpflags.jpg

          You can quite often see FA due to retrans when the client/server doesn't see a response for whatever reason on the closure of the session. And the state has been closed by the firewall.

          When trying use a stateful firewall, its very helpful to understand how tcp initiates a session and how it closes a session ;)

          Unless the block is S (syn) - its a given that the reason for the block is no state in the firewall for that traffic.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          1 Reply Last reply Reply Quote 0
          • M Offline
            marvosa
            last edited by

            It depends on how things are connected and your config.

            Post your server1.conf (/var/etc/openvpn).

            Is PFsense connected to the WAN port on your WiFi router or the LAN port?

            I'm also not sure about that firewall rule on your WAN tab. The wizard should give you something similar to this:

            RA_Firewall_Rule.jpg

            S 1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate @sherrellbc
              last edited by

              @sherrellbc said in Unable to ping LAN hosts after connecting to VPN:

              I wasn't aware those were flags. The column is labeled only as "Protocol". What can you infer from this?

              https://docs.netgate.com/pfsense/en/latest/firewall/tcp-flag-definitions.html

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • S Offline
                sherrellbc @marvosa
                last edited by

                @marvosa said in Unable to ping LAN hosts after connecting to VPN:

                It depends on how things are connected and your config.

                Post your server1.conf (/var/etc/openvpn).

                dev ovpns1
                verb 4
                dev-type tun
                dev-node /dev/tun1
                writepid /var/run/openvpn_server1.pid
                #user nobody
                #group nobody
                script-security 3
                daemon
                keepalive 10 60
                ping-timer-rem
                persist-tun
                persist-key
                proto udp4
                cipher AES-128-CBC
                auth SHA256
                up /usr/local/sbin/ovpn-linkup
                down /usr/local/sbin/ovpn-linkdown
                client-connect /usr/local/sbin/openvpn.attributes.sh
                client-disconnect /usr/local/sbin/openvpn.attributes.sh
                local xx.xxx.xxx.xx
                tls-server
                server 10.30.20.0 255.255.255.0
                client-config-dir /var/etc/openvpn-csc/server1
                username-as-common-name
                plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYYwgRGF1YWJhc2U= false server1 1194
                tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'xxx.net' 1"
                lport 1194
                management /var/etc/openvpn/server1.sock unix
                max-clients 1
                push "dhcp-option DOMAIN localdomain"
                push "dhcp-option DNS 10.0.0.1"
                push "redirect-gateway def1"
                ca /var/etc/openvpn/server1.ca
                cert /var/etc/openvpn/server1.cert
                key /var/etc/openvpn/server1.key
                dh /etc/dh-parameters.2048
                tls-auth /var/etc/openvpn/server1.tls-auth 0
                ncp-ciphers AES-128-GCM
                persist-remote-ip
                float
                topology subnet
                

                Is PFsense connected to the WAN port on your WiFi router or the LAN port?

                The WAN port. And it serves DHCP to my router.

                I'm also not sure about that firewall rule on your WAN tab. The wizard should give you something similar to this:

                I think that rule is certainly better, as the other I showed allowed much more through the firewall. I edited the rule as you show. I am able to still connect, so I'll leave the restrictive rule. Thanks for that.

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  Is something happening to the connection, and you have it flushing states? Do you always see these blocks, all the time - or do they happen now and then?

                  Such out of state blocks will be seen from time to time depending... If a connection is wireless for sure you could see such dup packets and blocks on out of state when firewall closed the states due to see fins but one side didn't get the final fin and thinks its not actually closed.. At some point if the you should see a RST, when the device gives up his retrans and says F it, this is closed and sends a RST..

                  Cell phones are horrible at producing them when it switches from cell and wifi and tries to use the same session without reopening a connection with syn, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  S 1 Reply Last reply Reply Quote 0
                  • S Offline
                    sherrellbc @johnpoz
                    last edited by sherrellbc

                    @johnpoz

                    I haven't really done any configuration tuning. All I did was use the OpenVPN wizard to setup the server. I exported the profiles and used them to connect a client. That's when I noticed can't see any any LAN hosts after connecting via VPN.

                    I actually had just configured the Netgate for the first time just before installing the VPN server package. So the whole config is nearly stock.

                    But no, the log is not generally filled with lots of blocks of the type shown. After connection from an mobile device I'll see a few.

                    Also, I forgot to mention that I can't even access the router from the VPN, though it is technically another LAN device. So it seems like I basically can't get off the Netgate after connecting to the VPN. I can't see anything after it on the network.

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      marvosa
                      last edited by marvosa

                      You are unable to access your LAN clients (hostA,hostB) from the VPN because your hosts are behind another NAT router and are not using PFsense as the default gateway. PFsense only knows about the IP given to the WAN interface on the WiFi router, it does not know about the network behind it nor does it have access to it.

                      The easiest way to address your issue is to modify your design slightly.

                      In other words, turn your router into an access point:

                      1. If your WiFi router has an access point mode, enable it.
                        a. Give the router a static IP on the subnet assigned to the PFsense LAN
                        b. Move the patch cable from the WAN port on the WiFi router into one of the LAN ports on the same router
                        c. Enabling access point mode automatically disables the DHCP server, so you will have to enable the PFsense DHCP server.

                      2. If your WiFi router does NOT have an access point mode, the process is nearly the same, however, you'll have to disable services manually
                        a. Disable the DHCP server on the router
                        b. Disable the DNS forwarder (this is probably optional since it's not being used anyway, but doing so would save resources in theory)
                        b. Give the router a static IP on the subnet assigned to the PFsense LAN
                        c. Move the patch cable from the WAN port on the WiFi router into one of the LAN ports on the same router
                        d. Enable the DHCP server on PFsense
                        e. Enable the DNS server on PFsense

                      At this point, assuming there are no subnetting conflicts, you should now have access to your LAN resources after connecting to the VPN. Personally, I'd switch to a split tunnel deployment vs. full tunnel for performance reasons, but your use case may require different priorities.

                      S 1 Reply Last reply Reply Quote 1
                      • S Offline
                        sherrellbc @marvosa
                        last edited by sherrellbc

                        @marvosa

                        That actually was the problem. I was mistakenly connecting the router's WAN port to the LAN port of the Netgate. Admittedly I should have recognized the issue with having the two networks (Netgate - Router, then Router's LAN).

                        So, everything just about works. I want to access a particular host on the LAN (a network share). I looked up the DHCP client list and found its assigned IP address and was able to remotely (through the VPN) connect to it. Because I wan't this to be reliable, I assigned a static DHCP rule for this specific LAN host. But now the VPN client's cannot see it anymore. What could be going on? All other dynamically allocated DHCP slots remain reachable from the VPN.

                        I have a rule on the OpenVPN group to allow any to any, which is why the first part worked. But for some reason the statically assigned DHCP rule is acting as if it were not part of the LAN? I did notice that the host was marked as "offline" in the DHCP client list despite being active and reachable from other hosts on the LAN.

                        I tried adding a rule specifically allowing access to this static IP from the VPN, but of, course, the any to any rule takes precedence so this new rule does not get used.

                        Any ideas?


                        Actually, the issue seemed to have resolved itself after some time.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.