Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN tap -

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    4
    553
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mdrapeau
      last edited by mdrapeau

      Hi,

      I built a VPN site to site in tap mode between my two sites in order to extend LAN:

      Here is my infrastructure with what works and what doesn't work.

      c5535e03-1a42-43f1-a0e4-fda09fc79cd2-image.png

      I don't understand why my endpoints can communicates between them but not my both pfsense...

      Firewall rules are open during the debug of the issue.

      I used TCPdump to understand what's wrong from 18.15 to 18.254, I saw the ping request and the ping reply on each interface exept on the LAN interface of the PFsense site A, so I think the problem can between openvpn interface and LAN interface of the pfsense (site A).

      If it's the problem, I don't really know how to fix it...

      Is someone have an idea for me ?

      Thanks !

      1 Reply Last reply Reply Quote 0
      • M
        mdrapeau
        last edited by

        After further investigations, I saw the issue comes from Pfsense "18.1".

        In fact, when the Pfsense "18.1" ping request the other one, the Pfsense "18.254" ping reply to pings which arrives in Pfsense "18.1" but from a dark reason Pfsense "18.1" doesn't interpret it.

        When the Pfsense "18.254" ping request the other one, the Pfsense "18.254" receives it but completely ignore it and so no ping reply are sent.

        So globally the issu is located now but I don't really now how to fix it.

        Firewall is open in both sides, routes and gateways are good.

        Is anyone has an idea ?

        M 1 Reply Last reply Reply Quote 0
        • M
          marvosa @mdrapeau
          last edited by

          Without reviewing the configs, routing tables, firewall rules, etc... My guess... some devices are confused when trying to keep track of which IP's are on which end of the tunnel.

          I believe one solution is to NAT the traffic traversing the tunnel and create 1-to-1 NAT's for resources you want to access on the other end of the tunnel.

          My first question is typically... what issue are you trying to resolve by deploying a bridged solution?

          M 1 Reply Last reply Reply Quote 0
          • M
            mdrapeau @marvosa
            last edited by mdrapeau

            @marvosa thanks for answering me.

            The reason why I've deployed a bridged solution is because I am doing a migration of several virtual machine from the siteA to the siteB and I can't change IP address of thoose virtual machine for multiple reasons.

            I've invastigated more deeply the problem and it appears that the issu comes from the pfsense of the siteB.

            In fact, when the pfsenseA (18.254) send a ping to the pfsenseB (18.1), the pfsenseB receive the ping request but it doesn't reply to it.

            And when the pfsenseB (18.1) send a ping to the pfsenseA (18.254), the pfsenseA replies to pings but the pfsenseB doesn't interpret the answer for an unknown reason.

            So I don't really know what is wrong with the pfsenseB.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.