Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Bridged tunnel, limited remote access

    OpenVPN
    1
    2
    51
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      clarknova last edited by

      I followed the instructions here to set up a P-t-P tunnel between two pfsense instances and bridged the ovpn interface to the LAN on both sides.

      Both sides show the VPN is up, and both sides can ping the LAN address of the pfsense box on the far side. So far so good.

      The problem is that neither pfsense can get a ping response from a host on the far side LAN. To summarise:

      • 192.168.1.1 can ping 192.168.1.2 and 192.168.1.10 but not 192.168.1.20
      • 192.168.1.2 can ping 192.168.1.1 and 192.168.1.20 but not 192.168.1.10
      • 192.168.1.10 can ping 192.168.1.1 but not 192.168.1.2 and not 192.168.1.20
      • 192.168.1.20 can ping 192.168.1.2 but not 192.168.1.1 and not 192.168.1.10

      I added a 'pass LAN to LAN' rule on LAN, BRIDGE and OpenVPN interfaces on both sides, but that didn't help. What did I miss?
      Screenshot from 2020-09-10 17-07-45.png

      db

      C 1 Reply Last reply Reply Quote 0
      • C
        clarknova @clarknova last edited by clarknova

        A little added info, if I try to ping 192.168.1.10 (Test Client 1) from 192.168.1.20 (Test Client 2) while running tcpdump on both pfsense, I see ARP traffic:

        [2.4.5-RELEASE][root@TestFW01.localdomain]/root: tcpdump -nibridge0 host 192.168.1.20
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bridge0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:48:23.031203 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
08:48:24.028594 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
08:48:25.028870 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46

        [2.4.5-RELEASE][root@TestFW02.localdomain]/root: tcpdump -nibridge0 host 192.168.1.20
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bridge0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:48:33.036875 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
08:48:33.037605 ARP, Reply 192.168.1.1 is-at 00:bd:79:1a:ff:01, length 28
08:48:34.036904 ARP, Request who-has 192.168.1.1 tell 192.168.1.20, length 46
08:48:34.037940 ARP, Reply 192.168.1.1 is-at 00:bd:79:1a:ff:01, length 28

        If I run the same tcpdump command, substituting the ovpn interface for bridge0, I see ARP requests and replies on both pfsense.

        I'm not sure who is the owner of 00:bd:79:1a:ff:01, but it doesn't appear in the ARP table of either pfsense, and I get no result for it on either hwaddress.com or maclookup.app.

        edit: typo

        db

        1 Reply Last reply Reply Quote 0
        • First post
          Last post