Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN & another pfsense

    OpenVPN
    1
    2
    123
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Valerio Maglietta last edited by

      Hi all,
      I configured a S2S with OpenVPN apparently with no issue. I can ping and reach the remote lan assuming I added the route to the clients (I do not want to have a single route on the gateway for all the remote client) from OpenVPN server address.

      The ONLY client I cannot ping or reach is another pfsense (WAN) address on the same lan.
      Here my diagram

      • pfsense1 with OpenVPN S2S server (LAN: 192.168.200.253)
      • pfsense2 (WAN 192.168.200.248)
        They can ping each other with no problem.
        Moreover I can ping from pfsense2 OpenVPN-server interface every ip on the lan when I add the proper routing rule, for example:
        PING 192.168.200.11 (192.168.200.11) from 10.3.110.1: 56 data bytes
        64 bytes from 192.168.200.11: icmp_seq=0 ttl=64 time=0.302 ms
        64 bytes from 192.168.200.11: icmp_seq=1 ttl=64 time=0.490 ms
        64 bytes from 192.168.200.11: icmp_seq=2 ttl=64 time=0.252 ms

      --- 192.168.200.11 ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 0.252/0.348/0.490/0.102 ms

      I cannot ping the WAN interface of pfsense2 or test its port and I cannot see any firewall blocking log:
      PING 192.168.200.248 (192.168.200.248) from 10.3.110.1: 56 data bytes

      --- 192.168.200.248 ping statistics ---
      3 packets transmitted, 0 packets received, 100.0% packet loss

      I added two floating firewall out rules to pfsense2 so I can successfully reach the remote lan connected to openvpn (192.168.51.0/24) and the second rule for tunnel network, just for testing purposes.
      But the WAN interface of pfsense1 is still unreachable from OpenVPN interface of pfsense2.

      And here when I enable the packet capture during the failing ping:
      18:20:28.977845 IP 10.3.110.1 > 192.168.200.248: ICMP echo request, id 47641, seq 0, length 64
      18:20:28.977980 IP 192.168.200.248 > 10.3.110.1: ICMP echo reply, id 47641, seq 0, length 64
      18:20:29.988986 IP 10.3.110.1 > 192.168.200.248: ICMP echo request, id 47641, seq 1, length 64
      18:20:29.989050 IP 192.168.200.248 > 10.3.110.1: ICMP echo reply, id 47641, seq 1, length 64
      18:20:31.008424 IP 10.3.110.1 > 192.168.200.248: ICMP echo request, id 47641, seq 2, length 64
      18:20:31.008514 IP 192.168.200.248 > 10.3.110.1: ICMP echo reply, id 47641, seq 2, length 64
      18:20:32.019548 IP 10.3.110.1 > 192.168.200.248: ICMP echo request, id 47641, seq 3, length 64
      18:20:32.019648 IP 192.168.200.248 > 10.3.110.1: ICMP echo reply, id 47641, seq 3, length 64
      ...

      Any help would be very appreciated.

      Thanks

      1 Reply Last reply Reply Quote 0
      • V
        Valerio Maglietta last edited by Valerio Maglietta

        I manage in solving my issue.
        here is my diagram:
        diagram.png
        I needed mainly two settings:

        1. on pfsense2 I had to check "Bypass firewall rules for traffic on the same interface" option otherwise my WAN routing rules were ignored;
          2, defining a NAT outboud rule on pfsense1:
          nat-outbound.JPG
          The unwanted aftermath was that the whole traffic between the networks was allowed and I had to design some extra block rulesets to allow only what I really need. But in the end nothing hard.
          Now everything works nice and fast!
        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense Plus
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy