Bridged tunnel, limited remote access
-
I followed the instructions here to set up a P-t-P tunnel between two pfsense instances and bridged the ovpn interface to the LAN on both sides.
Both sides show the VPN is up, and both sides can ping the LAN address of the pfsense box on the far side. So far so good.
The problem is that neither pfsense can get a ping response from a host on the far side LAN. To summarise:
- 192.168.1.1 can ping 192.168.1.2 and 192.168.1.10 but not 192.168.1.20
- 192.168.1.2 can ping 192.168.1.1 and 192.168.1.20 but not 192.168.1.10
- 192.168.1.10 can ping 192.168.1.1 but not 192.168.1.2 and not 192.168.1.20
- 192.168.1.20 can ping 192.168.1.2 but not 192.168.1.1 and not 192.168.1.10
I added a 'pass LAN to LAN' rule on LAN, BRIDGE and OpenVPN interfaces on both sides, but that didn't help. What did I miss?
-
A little added info, if I try to ping 192.168.1.10 (Test Client 1) from 192.168.1.20 (Test Client 2) while running tcpdump on both pfsense, I see ARP traffic:
[2.4.5-RELEASE][root@TestFW01.localdomain]/root: tcpdump -nibridge0 host 192.168.1.20 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bridge0, link-type EN10MB (Ethernet), capture size 262144 bytes 08:48:23.031203 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46 08:48:24.028594 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46 08:48:25.028870 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
[2.4.5-RELEASE][root@TestFW02.localdomain]/root: tcpdump -nibridge0 host 192.168.1.20 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bridge0, link-type EN10MB (Ethernet), capture size 262144 bytes 08:48:33.036875 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46 08:48:33.037605 ARP, Reply 192.168.1.1 is-at 00:bd:79:1a:ff:01, length 28 08:48:34.036904 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46 08:48:34.037940 ARP, Reply 192.168.1.1 is-at 00:bd:79:1a:ff:01, length 28
If I run the same tcpdump command, substituting the ovpn interface for bridge0, I see ARP requests and replies on both pfsense.
I'm not sure who is the owner of 00:bd:79:1a:ff:01, but it doesn't appear in the ARP table of either pfsense, and I get no result for it on either hwaddress.com or maclookup.app.
edit: typo