OPENVPN site-to-site LOCAL/AWS doesnt ping between hosts only between pfsenses
-
Hey guys!
I am facing a problem in the site-to-site OPENVPN configuration with PFSENSE, describing in an objective way it would be the following:
From PFSENSE on AWS I can ping my entire local network and from PFSENSE on my local network I can ping my entire network on AWS but when I use a host inside the AWS network or a host inside my local network I can't ping from one side of the VPN To the other.
I took a machine on my local network (192.168.15.27) and gave a tracert to a machine on the AWS network 172.31.9.211. The packet went to the PFSENSE of my local network, went to the 10.0.0.1 tunnel, arrived at the AWS PFSENSE (I looked through the firewall log) and got lost there. The same is true in reverse.
I did a tcpdump to check deeper, here is a part of the log
(PING FROM A HOST BEHIND LOCAL NETWORK)
22:28:40.328453 AF IPv4 (2), length 64: (tos 0x0, ttl 127, id 39316, offset 0, flags [none], proto ICMP (1), length 60)
192.168.15.27 > 172.31.9.211: ICMP echo request, id 1, seq 712, length 40
No reply has seen(PING FROM PFSENSE)
22:28:46.079359 AF IPv4 (2), length 88: (tos 0x0, ttl 64, id 32037, offset 0, flags [none], proto ICMP (1), length 84)
10.0.0.2 > 172.31.9.211: ICMP echo request, id 6757, seq 0, length 64
Here i got a ICMP replyWhat I can see is that when I do it directly from PFSENSE it uses the tunnel IP as source and it works. But when I use a host inside the network to ping, it doesn't work. But being a site-to-site it should work, doesnt?
-
@fernandoscheffel said in OPENVPN site-to-site LOCAL/AWS doesnt ping between hosts only between pfsenses:
I did a tcpdump to check deeper, here is a part of the log
On which site, which interface?
-
@viragomann The packet monitor is from server side on openvpn interface.
The packet that comes from a host in the client site reach at server side with IP 192.168... and drop. If comes from pfsense, reach at the server side with IP 10.0.0.2 (client tunel ip) and get response.
-
I solved the problem creating a NAT Outbound rule in my pfsense server to translate local IP to tunnel IP