Only the LAN interface is pinging

someusername

Hello,

I have two firewalls in CARP mode, last stable versions. This is a fresh setup.

I set up a vpn connection to access a private network without internet access.

If I VPN to the master firewall all works.
If a VPN to the backup, I can ping the LAN interface and CARP VIP, but I can't ping anything in the same network.

I created the configuration on the master firewall, so it is the same on both.

If I go to the backup FW, Diagnostics -> Ping and try pinging with Source Address: OpenVPN, I get the following:
Ping Local LAN interface: OK
Ping LAN CARP VIP: no (but it is pinging when remotely connected)
Ping a host on the network: no

What could be wrong / how do I approach troubleshooting?

viragomann

@someusername said in Only the LAN interface is pinging:

If a VPN to the backup

Not clear, why anyone should do this. When you're running a HA system in CARP mode, you should have the OpenVPN server listening on the CARP VIP and simply connect to it. So you ever connect to the master.

You cannot access the remote LAN devices, when you're connected to the backup, because the LAN CARP VIP, which is used as gateway by the devices and hence needed for communicating with other network segments like VPN clients, is occupied by the master.

someusername

@viragomann

That is a good point, thank you!

I changed the IP in the Client Export section, changed Host Name Resolution to Other and For Host Name I put the WAN CARP VIP. (repeated on the backup FW as well, since this part doesn't sync)

I modified the WAN VPN rule, changed the destination from WAN IP to WAN net, because no traffic was passing.
Now when I click on the States of the rule I see the connection, but it is not receiving any packets back. The Packets column looks like 3 / 0 for example.

What else should I do?

viragomann

@someusername
In the OpenVPN server settings you have also to change the listening interface to the WAN CARP VIP.

(repeated on the backup FW as well, since this part doesn't sync)

Why not?

someusername

@viragomann

I read around that the Client Export section does not sync. I just tested it again, did not sync. Everything else is syncing, no errors on the bell. All options are selected in the Sync section of the primary FW.

If I make changes to the VPN server, they sync.

I changed the listening interface. Huge thanks for that - I was looking for it and never saw it, couldn't see the forest from the trees or something...

Now the client on my pc says "network connection failed." after about a minute or so. I am unable to ping anything in the local network during that time(no local lan interface, no carp, no hosts).
in the OpenVPN widget I see the connection in the FW, the FW rule shows packets in both directions.

The OpenVPN widget on the backup FW says "[error] Unable to contact daemon" - probably because of the CARP?

What next?

viragomann

@someusername
Yes, you're right, the client export settings are not synced. But the OpenVPN server settings should, at least if it's activated in System > HA.

The listening interface was WAN before, right? So you don't forward the VPN traffic in any way. Hence it should work with WAN CARP VIP as well if the firewall rules allow the access.
You mentioned, you changed the rule destination to "WAN net". So if the VIP is within the WAN net it should work.

Do you get a connection or nothing. If no what shows the client log?

someusername

@viragomann well.....I just re-downloaded the certificate and works like a charm :)
If I send the master in CARP maintenance mode, the VPN drops, I reconnect and all works again.

Thank you for your help!

I have another query, separate from the original one.

Sometimes the webgui becomes inaccessible through the WAN IP of the primary FW. I can be in the menus and at some point I click anywhere and nothing happens, refresh the page - no connection. The IP pings and there is no apparent disruption of service. If I try to access via the WAN CARP IP - all good, works fine. If I do nothing the webgui becomes accessible after several minutes.

I am not sure if it happens only when I am connected to the VPN as well.
In the VPN settings I have "force all client traffic through the tunnel" disabled. and on my pc I have off this setting "Use this connection only for resources on its network"

If it happens while I am connected to the VPN, if I disconnect it and refresh the page, the webgui comes back.

I also have the option to access the firewalls through the IPs on their vlan interfaces - they are public. I do not do NAT. The private network doesn't need internet access.

Do you see something in the above that can explain the webgui flaps?

viragomann

@someusername said in Only the LAN interface is pinging:

Sometimes the webgui becomes inaccessible through the WAN IP of the primary FW.

Is it only on the WAN IP or as well when you use the LAN IP?

Basically the WebGUI should not be accessible from outside anyway. You should only allow access from inside or from VPN. So I connect to the VPN and access my devices by their LAN IPs.

Since the problem doesn't appear when using the CARP VIP, I can only think of a routing issue. Maybe there is something in the log regarding this.

An hint for accessing the backup node, when you're connected to the master: Troubleshooting VPN Connectivity to a High Availability Secondary Node.
By default this is not possible. You have to add an outbound NAT rule as described in the docs.

someusername

@viragomann I have whitelisted specific IPs on a custom port for webgui access.

the setup looks like this:

WAN net - public IPs
LAN net - private, management, no NAT, not internet access
VLANxxx - Public IPs, unrestricted internet access

I can use the VLAN IPs for webgui access and see if the issue persists.

The webgui needs to be accessible, as this is a remote location and I am not comfortable relaying on VPN service for access if I enable access only from the management network.

Do you think there is something more to do to make it more secure?

viragomann

@someusername
If you have restricted the source IPs for webGUI management access and use HTTPS, it should be safe so far.

I have no webGUI access allowed from WAN on my installation. I'm running OpenVPN servers and have SSH (with key) access enabled in case, the web configurator is not accessible.

someusername

@viragomann

I can look into the cli commands, as I am not familiar with them and enable ssh to test it out.

I genuinely wonder, does ssh have smaller attack surface than https, considering it will be protected by the same FW rules and custom port? In my case I must have access through a publicly accessible interface/IP in case the VPN goes fubar.

viragomann

@someusername
As I stated, https is generally safe. The weak point is rather the user authentication.
With SSH you can use (long) key + pw auth, which is more safe at the end.

someusername

@viragomann Yes, that's true. I will experiment with ssh.

Thank you for your help and time!