VPN Client cannot access some IP addresses
Hoping someone can help as this has been driving me crazy for days.
I've setup a Road Warrior VPN server on pfsense 2.4.5 and the client connects as it should, all traffic is routed through the VPN. When I try to access local servers on the LAN i can access some but others i cannot. I really hope some can throw me some ideas.
I've attached some images of configs in the hope someone will see something wrong.
Thanks in advance.
@ianllew600 I already faced a similar troble and it was related to the ISP. Some of them block certains ports.
Try to look what clients successfully connect and what clients do not, and its ISPs.
@hugoeyng hi, it's not a problem with clients connecting, they can all connect to the vpn server fine. The issue is reaching resources within the lan through the vpn. I can connect to some servers but can not connect to others.
I think this may have something to do with the pfsense firewall but the rules look OK to me.
I think this may have something to do with the pfsense firewall
And why the firewall allow access to X but block to Y... Makes no sense when you have a any any rule.
What makes sense is the device your trying to talk to that is not working is running a firewall, or he doesn't point back to pfsense as his gateway..
Windows for example out of the box firewall would block access to anything that is not its local network, ie your vpn client coming from your tunnel network IP.
Simple test, sniff on pfsense lan interface when your client tries to talk to one of these IPs on your lan not working.. Do you see pfsense send this traffic on? If so then its not pfsense.
@johnpoz thanks for the reply ut makes sense to me what you are saying, the device I'm trying to connect to is an unraid server which doesn't gave a firewall that I can find so it can it be blocking it.
Are you running the pfB DNSBL webserver on the default VIP (10.10.10.1)?
@serbus hi its a new install and haven't got any pfblocking installed yet, I'm at a loss.
Again do the simple sniff test.. Filter it on the IP address of your unraid box.
You sure you have the correct IP for this unraid box? Is the unraid box pointing back to pfsense as its gateway?
Your rule is any any.. there is zero reason pfsense would block access 192.168.1.X while allowing access to 192.168.1.Y
What is the IP address of your client local network, what is the tunnel network? What is the IP address your using on your lan, and what is the IP of your unraid box. What is the mask of the unraid box? If it thinks the source IP your coming from is on its own network, then it would never send traffic back to pfsense.
Can pfsense talk to this unraid IP? Can you ping it from pfsense? You have validated that is the correct mac address for the unraid nic?
@ianllew600 I wunderstood and it happens to me too. There are three servers in my office and we use OpenVPN to home office . I am able to access two servers but not the third one. The servers are pluged on the same router and the same IP range.
To manage this question I connect one server and then, connect to the one I can´t connect trought OpenVPN. This is not, obviously, a solution.
If you can access box A on your lan, but not box B on the same lan.. And your not filtering in your openvpn rules.. Then the problem is with Box B, not pfsense..
@johnpoz I agree. But what?
Still waiting for the OP to actually provide some info to help prove that too him, like a simple 10 second sniff while he its trying to access said IP, etc.
Your issue with the 3rd server is same.. Its something on the server, wrong mask, no gateway, firewall, etc..
Just wanted to say a massive thanks to everyone for the help! I was going round and round in circles until you guys put me back on the right track.
So i found the issue and it was indeed with the server, it would seem that someone had setup a network connection that wasn't on the diagrams with a static IP that was the same as we used for the openvpn server (10.10.10.0/24). Once i found this i changed the openvpn server address (10.10.11.0/24) and now everything works. It would seem that the server was sending the reply out of the wrong NIC and it was never getting back to PFSENSE, the reason it worked on the other servers was because they didn't have this static ip set on a nic.
What a nightmare... but working now.
Yeah.. That would do it! Glad you got it sorted.