1. Home
  2. pfSense® Software
  3. OpenVPN
  4. Bridged tunnel, limited remote access

Bridged tunnel, limited remote access

  • C

    I followed the instructions here to set up a P-t-P tunnel between two pfsense instances and bridged the ovpn interface to the LAN on both sides.

    Both sides show the VPN is up, and both sides can ping the LAN address of the pfsense box on the far side. So far so good.

    The problem is that neither pfsense can get a ping response from a host on the far side LAN. To summarise:

    • 192.168.1.1 can ping 192.168.1.2 and 192.168.1.10 but not 192.168.1.20
    • 192.168.1.2 can ping 192.168.1.1 and 192.168.1.20 but not 192.168.1.10
    • 192.168.1.10 can ping 192.168.1.1 but not 192.168.1.2 and not 192.168.1.20
    • 192.168.1.20 can ping 192.168.1.2 but not 192.168.1.1 and not 192.168.1.10

    I added a 'pass LAN to LAN' rule on LAN, BRIDGE and OpenVPN interfaces on both sides, but that didn't help. What did I miss?
    Screenshot from 2020-09-10 17-07-45.png

    0 C 1 Reply
  • C

    A little added info, if I try to ping 192.168.1.10 (Test Client 1) from 192.168.1.20 (Test Client 2) while running tcpdump on both pfsense, I see ARP traffic:

    [2.4.5-RELEASE][root@TestFW01.localdomain]/root: tcpdump -nibridge0 host 192.168.1.20
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bridge0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:48:23.031203 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
08:48:24.028594 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
08:48:25.028870 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46

    [2.4.5-RELEASE][root@TestFW02.localdomain]/root: tcpdump -nibridge0 host 192.168.1.20
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bridge0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:48:33.036875 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
08:48:33.037605 ARP, Reply 192.168.1.1 is-at 00:bd:79:1a:ff:01, length 28
08:48:34.036904 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
08:48:34.037940 ARP, Reply 192.168.1.1 is-at 00:bd:79:1a:ff:01, length 28

    If I run the same tcpdump command, substituting the ovpn interface for bridge0, I see ARP requests and replies on both pfsense.

    I'm not sure who is the owner of 00:bd:79:1a:ff:01, but it doesn't appear in the ARP table of either pfsense, and I get no result for it on either hwaddress.com or maclookup.app.

    edit: typo

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy