Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN site to site - Only traffic from pfsense boxes work

    OpenVPN
    2
    25
    209
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Iago OP last edited by Iago OP

      Hi guys;

      Im new in this community. I have some background in networking technology but I'm new into this pfsense world.

      I have a problem with the OpenVPN setup, maybe you can help me out.

      The case is, I have 2 pfsense boxes one in each office.

      Pfsense1 is the root office, with the OpenVPN site to site server.
      This box is configured as follows:

      • WAN ADDRESS with access to internet
      • LAN: 10.0.111.0/24
      • OpenVPN server peer to peer
        tunnel net: 10.0.18.0/24
        remote net: 10.0.50.0/24

      On the other side, I have another box with the same version of PFsense, and acts as client. The configuration is as follows:

      • WAN ADDRESS with access to internet
      • LAN: 10.0.50.0/24
      • OpenVPN client
        tunnel net: 10.0.18.0/24
        remote net: 10.0.111.0/24

      The problem is, the PFsense boxes can ping each other to their LAN addresses (10.0.111.1 and 10.0.50.1), but when I trying to ping from a LAN computer of one side (10.0.111.10) to a LAN computer of the other side (10.0.50.10 or even the pfsense box) there is no connectivity.

      I have the following rules in place in the firewall:
      Pfsense1
      OpenVPN: allow all
      WAN: OpenVPN port open
      LAN: allow all

      Pfsense2:
      OpenVPN: allow all
      LAN: allow all
      45111fca-8a52-49b6-b6df-c21f5067242e-image.png

      If I go to states; I can see the TPC traffic as SYNC_SENT but no connectivity at all

      Am I missing something?

      Thank you for your advice!!

      EDIT:
      Added screenshot from the box2 (10.0.50.1) ping to the box 1 LAN address (10.0.111.1)
      fd39cc1c-724e-49df-a7a0-de8c68fe9f61-image.png

      If I select source address as LAN, the ping does not go through:
      dca40527-3fcf-4b29-9578-a60d694d091b-image.png

      Seems like this LAN - OVPN Client routing is not working, but in the routing tables I see all ok:

      36cb4b33-0ac9-4e81-98df-8ec647037217-image.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Iago OP last edited by

        Something wrong here?

        @iago-op said in OpenVPN site to site - Only traffic from pfsense boxes work:

        Pfsense1 is the root office, with the OpenVPN site to site server.
        This box is configured as follows:

        WAN ADDRESS with access to internet
        LAN: 10.0.111.0/24
        OpenVPN server peer to peer
        tunnel net: 10.0.18.0/24
        remote net: 10.0.50.0/24

        On the other side, I have another box with the same version of PFsense, and acts as client. The configuration is as follows:

        WAN ADDRESS with access to internet
        LAN: 10.0.111.0/24
        OpenVPN client
        tunnel net: 10.0.18.0/24
        remote net: 10.0.111.0/24

        I 1 Reply Last reply Reply Quote 0
        • I
          Iago OP @viragomann last edited by

          @viragomann sure man

          the pfsense2 box is 10.0.50.0/24 sorry and thanks for the help!

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Iago OP last edited by

            @iago-op
            Are both pfSense boxes the default gateway in the respective LAN?

            If so check the firewall on the destination device. By default it is blocking access from out of its own subnet.

            I 1 Reply Last reply Reply Quote 0
            • I
              Iago OP @viragomann last edited by

              @viragomann
              Yeah

              @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

              @iago-op
              Are both pfSense boxes the default gateway in the respective LAN?

              If so check the firewall on the destination device. By default it is blocking access from out of its own subnet.

              Yeah there is only 1 WAN per pfsense box and each pc have the Pfsense box as the gateway (10.0.111.1 and 10.0.50.1 respectively)

              As far as the LAN firewall, I have an allow all rule on each Pfsense LAN. this should be enough right?

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @Iago OP last edited by

                @iago-op
                The point is if the destination device itself is allowing the access from the remote network.

                You can easily check this with pfSense. On the pfSense next to the device go to Diagnostic > Ping, enter its IP at host and try to ping. Should succeed.
                Then change the source to OpenVPN and try again. Does this succeed as well?

                I 1 Reply Last reply Reply Quote 0
                • I
                  Iago OP @viragomann last edited by Iago OP

                  @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                  @iago-op
                  The point is if the destination device itself is allowing the access from the remote network.

                  You can easily check this with pfSense. On the pfSense next to the device go to Diagnostic > Ping, enter its IP at host and try to ping. Should succeed.
                  Then change the source to OpenVPN and try again. Does this succeed as well?

                  Thanks for your tip, but I've already checked that.

                  If I ping using either default, or OpenVPNclient the ping goes through

                  If I ping using LAN, it does not. The same as if I use a computer into the local LAN to do the end to end ping.
                  75596403-72d8-4386-a053-7e4fad7ffc52-image.png
                  58827292-6b7f-4684-a258-4abf7c294fb9-image.png

                  I also did another test. Try to open a webpage from my local computer (10.0.50.10) in a remote end machine webserver (10.0.111.200) while I debug with the pTop utility:
                  8a480626-e2e0-4bdc-ac52-74e6f93ccf27-image.png

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @Iago OP last edited by

                    @iago-op said in OpenVPN site to site - Only traffic from pfsense boxes work:

                    If I ping using either default, or OpenVPNclient the ping goes through
                    If I ping using LAN, it does not. The same as if I use a computer into the local LAN to do the end to end ping.

                    I asked to do that on the pfSense box next to the destination device, not on the remote box and not pinging the one of the pfSense boxes themself. You did already mention above that this is working.
                    So go on the server and ping any device in it LAN 10.0.111.0/24.

                    I 1 Reply Last reply Reply Quote 0
                    • I
                      Iago OP @viragomann last edited by

                      @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                      @iago-op said in OpenVPN site to site - Only traffic from pfsense boxes work:

                      If I ping using either default, or OpenVPNclient the ping goes through
                      If I ping using LAN, it does not. The same as if I use a computer into the local LAN to do the end to end ping.

                      I asked to do that on the pfSense box next to the destination device, not on the remote box and not pinging the one of the pfSense boxes themself. You did already mention above that this is working.
                      So go on the server and ping any device in it LAN 10.0.111.0/24.

                      Yep, the scenario is:

                      ClientsLAN1 -10.0.111.0/24- Pfsense1(server) [ OPENVPN ] Pfsense2 --10.0.50.0/24- ClientsLAN2

                      Everything between Pfsense1(server) and LAN2 works ok (pfsense and clients)
                      18991934-039e-4d4b-a95b-22d4e588184e-image.png
                      The same, everything between pfsense2 and LAN1 work ok.
                      ed259c46-99c7-4e4a-863d-0f1c5ad280f1-image.png

                      The problem is when I try LANCLIENTS1 to LANCLIENTS2
                      b00f34f0-ecd9-4c60-85a4-fac57f203c47-image.png
                      Is weird, could be a bug in pfsense? Should I miss some rules ?

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @Iago OP last edited by

                        @iago-op
                        Fine now you're showing pings on both site with default settings. Still no use.

                        I 1 Reply Last reply Reply Quote 0
                        • I
                          Iago OP @viragomann last edited by Iago OP

                          @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                          @iago-op
                          Fine now you're showing pings on both site with default settings. Still no use.

                          @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                          I asked to do that on the pfSense box next to the destination device, not on the remote box and not pinging the one of the pfSense boxes themself. You did already mention above that this is working.
                          So go on the server and ping any device in it LAN 10.0.111.0/24.

                          On the server, I can ping the LAN devices without problems
                          9a87bbae-6a45-48ef-8880-df8cad15873a-image.png

                          Thanks for you help mate

                          V 1 Reply Last reply Reply Quote 0
                          • V
                            viragomann @Iago OP last edited by

                            @iago-op said in OpenVPN site to site - Only traffic from pfsense boxes work:

                            On the server, I can ping the LAN devices without problems

                            Dude! I'm not in doubt of that. Mentioned above. But what do you get here if you simple change the source to OpenVPN???

                            I 1 Reply Last reply Reply Quote 0
                            • I
                              Iago OP @viragomann last edited by

                              @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                              @iago-op said in OpenVPN site to site - Only traffic from pfsense boxes work:

                              On the server, I can ping the LAN devices without problems

                              Dude! I'm not in doubt of that. Mentioned above. But what do you get here if you simple change the source to OpenVPN???

                              It also works
                              4a6d537f-b8dc-47f7-b1aa-838a31f0793c-image.png

                              In the server side, I can ping from openVPN to CLientLAN1 without problems.

                              On the client side, the same, pings between OpenVPN interface/lan and the ClientsLAN2 work fine.
                              e9ee52d0-ddf9-4ed2-b1f9-26d64dd150e5-image.png

                              It just only fails on the LAN1 to LAN2 communications :S it's weird right?

                              V 1 Reply Last reply Reply Quote 0
                              • V
                                viragomann @Iago OP last edited by

                                @iago-op
                                Well. So the device is not blocking the access.
                                So let's take a look into the routing tables of both pfSense boxes.

                                I 1 Reply Last reply Reply Quote 0
                                • I
                                  Iago OP @viragomann last edited by Iago OP

                                  @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                                  @iago-op
                                  Well. So the device is not blocking the access.
                                  So let's take a look into the routing tables of both pfSense boxes.

                                  Client:
                                  8947ea73-67ea-4510-9ba1-50219bedcc65-image.png
                                  I can see the route 10.0.111.0/24 going through 10.0.18.1 which is the OpenVPN interface

                                  On the server side:
                                  cf6ff19d-1850-41a9-942d-dab2ccc23cd5-image.png

                                  I also see the correct routes:
                                  10.0.50.0/24 by 10.0.18.2

                                  (I also have in here a server2 which i creted trying to solving this problem with a new server, but I I'm not using it right now)

                                  Thanks !!

                                  V 1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann @Iago OP last edited by

                                    @iago-op
                                    Seems to be well.

                                    Static public IPs should better be hidden when you post a screenshot in the web. The PPPoE may change, but I don't know of the other one.

                                    Interestingly the client show no use of the route. Maybe if you try a connection from the clients LAN.

                                    Yes, absolutely weird.
                                    We had already issues with VPNs that won't work while all seems fine. After pulling it down and start from scratch it mostly worked.

                                    You may try more investigations with the packet capture tool, but I cannot think of any further reason.

                                    Only one thing are the firewall rules on OpenVPN interface. You didn't post a screenshot. So consider for pinging you have to allow ICMP or any protocol. If you have only TCP, ping will not work.

                                    I 1 Reply Last reply Reply Quote 0
                                    • I
                                      Iago OP @viragomann last edited by

                                      @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                                      @iago-op
                                      Seems to be well.

                                      Static public IPs should better be hidden when you post a screenshot in the web. The PPPoE may change, but I don't know of the other one.

                                      Interestingly the client show no use of the route. Maybe if you try a connection from the clients LAN.

                                      Yes, absolutely weird.
                                      We had already issues with VPNs that won't work while all seems fine. After pulling it down and start from scratch it mostly worked.

                                      You may try more investigations with the packet capture tool, but I cannot think of any further reason.

                                      Only one thing are the firewall rules on OpenVPN interface. You didn't post a screenshot. So consider for pinging you have to allow ICMP or any protocol. If you have only TCP, ping will not work.

                                      Yep, Thanks for the remainder of the public ips :)

                                      the OpenVPN firewall rules are allow all for all protocols. I just make sure because of this tests specifically with ping.

                                      There is any way to debug this kind of problems? Like a traceroute which indicates what interfaces goes through a packet?

                                      Tank you again mate

                                      I V 2 Replies Last reply Reply Quote 0
                                      • I
                                        Iago OP @Iago OP last edited by

                                        @iago-op said in OpenVPN site to site - Only traffic from pfsense boxes work:

                                        @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                                        @iago-op
                                        Seems to be well.

                                        Static public IPs should better be hidden when you post a screenshot in the web. The PPPoE may change, but I don't know of the other one.

                                        Interestingly the client show no use of the route. Maybe if you try a connection from the clients LAN.

                                        Yes, absolutely weird.
                                        We had already issues with VPNs that won't work while all seems fine. After pulling it down and start from scratch it mostly worked.

                                        You may try more investigations with the packet capture tool, but I cannot think of any further reason.

                                        Only one thing are the firewall rules on OpenVPN interface. You didn't post a screenshot. So consider for pinging you have to allow ICMP or any protocol. If you have only TCP, ping will not work.

                                        Yep, Thanks for the remainder of the public ips :)

                                        the OpenVPN firewall rules are allow all for all protocols. I just make sure because of this tests specifically with ping.

                                        There is any way to debug this kind of problems? Like a traceroute which indicates what interfaces goes through a packet?

                                        Tank you again mate

                                        I think I have a clue. Revieweing the logs for each interface I found that it's using ipv6 routing in the client side. While on the client side, openVPN is configured only to use ipv4
                                        86a50352-265e-4ed5-843f-159e0bfcf836-image.png
                                        acf62b8b-19f4-45e9-a1d7-9f576173958b-image.png

                                        Maybe cloud be this ?

                                        V 1 Reply Last reply Reply Quote 0
                                        • V
                                          viragomann @Iago OP last edited by

                                          The routing protocol setting is at the bottom, you can check IPv4 gateway only there.

                                          I 1 Reply Last reply Reply Quote 0
                                          • I
                                            Iago OP @viragomann last edited by

                                            @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                                            The routing protocol setting is at the bottom, you can check IPv4 gateway only there.

                                            In one side was ipv4 but in the other side was both. I changed to ipv4 only but this not fixed the problem.
                                            as I'm expected.

                                            I keep investigating. If I do a packet capture on the openvpn interface in the client while a ping is in course, it does not register any packet.

                                            1 Reply Last reply Reply Quote 0
                                            • V
                                              viragomann @Iago OP last edited by

                                              @iago-op said in OpenVPN site to site - Only traffic from pfsense boxes work:

                                              There is any way to debug this kind of problems? Like a traceroute which indicates what interfaces goes through a packet?

                                              As mentioned, you can do some packet capture on the both pfSense boxes.
                                              The VPN connection is like a network wire into the other site. Each site has a virtual interface. Here you can sniff the traffic.

                                              So for instance you try to ping from a clients LAN device to one on the remote site, you can trace the ping packets with packet capture on all the involved interface: clients LAN and OpenVPN, servers OpenVPN and LAN. So you can check where it stops.

                                              But I don't understand what your first ping attempt show. It works from client to the servers LAN IP whith default, which means the source is the client OpenVPN IP. But it doesn't work if the source is the clients LAN IP, even if there is the correct route on the server for that subnet.
                                              Your routing tables screens seem to be incomplete, but I guess, there will not be another route overlapping the clients LAN.

                                              I 1 Reply Last reply Reply Quote 0
                                              • I
                                                Iago OP @viragomann last edited by Iago OP

                                                @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                                                @iago-op said in OpenVPN site to site - Only traffic from pfsense boxes work:

                                                There is any way to debug this kind of problems? Like a traceroute which indicates what interfaces goes through a packet?

                                                As mentioned, you can do some packet capture on the both pfSense boxes.
                                                The VPN connection is like a network wire into the other site. Each site has a virtual interface. Here you can sniff the traffic.

                                                So for instance you try to ping from a clients LAN device to one on the remote site, you can trace the ping packets with packet capture on all the involved interface: clients LAN and OpenVPN, servers OpenVPN and LAN. So you can check where it stops.

                                                But I don't understand what your first ping attempt show. It works from client to the servers LAN IP whith default, which means the source is the client OpenVPN IP. But it doesn't work if the source is the clients LAN IP, even if there is the correct route on the server for that subnet.
                                                Your routing tables screens seem to be incomplete, but I guess, there will not be another route overlapping the clients LAN.

                                                I've made some testing today, and I found that I can ping from my local client computers to the OpenVPN gateway on the other end. (and in the same end too)

                                                Lets say I'm in the side of pfsense box 2 (10.0.50.1) with my IP: 10.0.50.10.
                                                This end of the tunnel gets IP 10.0.18.2 (10.0.18.1 for the other end)

                                                I can ping both of these openvpn interfaces no problem from the local machine
                                                6e6d4bf8-c328-4a37-91ba-8989bc89236e-image.png
                                                But cannot ping the remote LAN computers (10.0.111.0/24)

                                                So there is a problem routing between openvpn interface 10.0.18.2 and the LAN network 10.0.111.0/24
                                                But I cannot find the reason why this happens. The routing table looks good, there is an entry for this subnet in it:
                                                08720f79-8ab2-4fc2-9138-73d5987e5871-image.png

                                                And the firewall rules for the LAN allow incoming traffic from 10.0.18.0/24 and 10.0.50.0/24:
                                                8864de5c-68a4-4b6f-bc77-8208928a27ce-image.png

                                                Should I consider reporting a bug for this issue? There is any public board to fill in a bug report?

                                                Thank you @viragomann , you were very helpful :)

                                                V 1 Reply Last reply Reply Quote 0
                                                • V
                                                  viragomann @Iago OP last edited by

                                                  @iago-op
                                                  One thing I noticed. You are talking about a site-to-site VPN, but you have a /24 tunnel network.
                                                  A s2s should have a /30. So there is only one IP for the server and one for the client. I'd suggest to change this.

                                                  I 1 Reply Last reply Reply Quote 0
                                                  • I
                                                    Iago OP @viragomann last edited by

                                                    @viragomann said in OpenVPN site to site - Only traffic from pfsense boxes work:

                                                    @iago-op
                                                    One thing I noticed. You are talking about a site-to-site VPN, but you have a /24 tunnel network.
                                                    A s2s should have a /30. So there is only one IP for the server and one for the client. I'd suggest to change this.

                                                    Thanks mate for the tip.

                                                    Unfortunately, the problem persists. I can ping the remote end of the tunnel endpoint but cannot ping the LAN behind it.

                                                    4dfd74c0-885a-41d1-bc0c-5d96071fb9f7-image.png

                                                    It's driving me nuts. I've tested an IPSEC tunnel and works fine. I'm going to give-up this openvpn efort. Maybe I can help reporting this issue to the pfsense develoepers... I don't know

                                                    1 Reply Last reply Reply Quote 0
                                                    • I
                                                      Iago OP last edited by

                                                      I finally get it to work!!

                                                      It was a problem with a configuration of an IPSec tunnel that I had previously on one end.

                                                      It turns out that although it was disabled, it has configured the subnet 10.0.18.0/24

                                                      So I assume that this configuration is not supported and having the same subnet on these different services could cause the issue.

                                                      Thanks @viragomann for your help :) I really appreciate mate

                                                      a2bf89a8-7362-47b3-b3d2-742cc7070184-image.png

                                                      1 Reply Last reply Reply Quote 0
                                                      • First post
                                                        Last post

                                                      Products

                                                      • Platform Overview
                                                      • TNSR
                                                      • pfSense Plus
                                                      • Appliances

                                                      Services

                                                      • Training
                                                      • Professional Services

                                                      Support

                                                      • Subscription Plans
                                                      • Contact Support
                                                      • Product Lifecycle
                                                      • Documentation

                                                      News

                                                      • Media Coverage
                                                      • Press
                                                      • Events

                                                      Resources

                                                      • Blog
                                                      • FAQ
                                                      • Find a Partner
                                                      • Resource Library
                                                      • Security Information

                                                      Company

                                                      • About Us
                                                      • Careers
                                                      • Partners
                                                      • Contact Us
                                                      • Legal
                                                      Our Mission

                                                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                      Subscribe to our Newsletter

                                                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                      © 2021 Rubicon Communications, LLC | Privacy Policy