Bridged tunnel, limited remote access



  • I followed the instructions here to set up a P-t-P tunnel between two pfsense instances and bridged the ovpn interface to the LAN on both sides.

    Both sides show the VPN is up, and both sides can ping the LAN address of the pfsense box on the far side. So far so good.

    The problem is that neither pfsense can get a ping response from a host on the far side LAN. To summarise:

    • 192.168.1.1 can ping 192.168.1.2 and 192.168.1.10 but not 192.168.1.20
    • 192.168.1.2 can ping 192.168.1.1 and 192.168.1.20 but not 192.168.1.10
    • 192.168.1.10 can ping 192.168.1.1 but not 192.168.1.2 and not 192.168.1.20
    • 192.168.1.20 can ping 192.168.1.2 but not 192.168.1.1 and not 192.168.1.10

    I added a 'pass LAN to LAN' rule on LAN, BRIDGE and OpenVPN interfaces on both sides, but that didn't help. What did I miss?
    Screenshot from 2020-09-10 17-07-45.png



  • A little added info, if I try to ping 192.168.1.10 (Test Client 1) from 192.168.1.20 (Test Client 2) while running tcpdump on both pfsense, I see ARP traffic:

    [2.4.5-RELEASE][root@TestFW01.localdomain]/root: tcpdump -nibridge0 host 192.168.1.20
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on bridge0, link-type EN10MB (Ethernet), capture size 262144 bytes
    08:48:23.031203 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
    08:48:24.028594 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
    08:48:25.028870 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
    
    [2.4.5-RELEASE][root@TestFW02.localdomain]/root: tcpdump -nibridge0 host 192.168.1.20
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on bridge0, link-type EN10MB (Ethernet), capture size 262144 bytes
    08:48:33.036875 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
    08:48:33.037605 ARP, Reply 192.168.1.1 is-at 00:bd:79:1a:ff:01, length 28
    08:48:34.036904 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
    08:48:34.037940 ARP, Reply 192.168.1.1 is-at 00:bd:79:1a:ff:01, length 28
    

    If I run the same tcpdump command, substituting the ovpn interface for bridge0, I see ARP requests and replies on both pfsense.

    I'm not sure who is the owner of 00:bd:79:1a:ff:01, but it doesn't appear in the ARP table of either pfsense, and I get no result for it on either hwaddress.com or maclookup.app.

    edit: typo


Log in to reply