Connects to OpenVPN but can't ping LAN

jeffboyce

Greetings -

I have setup and used OpenVPN in the past, but this is my first time with it being on the same box as the pfSense router.

I am successfully connecting to OpenVPN, but I am unable to ping anything on the LAN network. My objective eventually is to be able to have company staff connect to Samba shares on a TrueNAS box behind the router.

I have followed the documentation for setting up OpenVPN and creating the client connect files, but when we couldn't connect map a windows box to a Samba share (even by IP address) I started troubleshooting and realized that I could not even ping the TrueNAS box.

VPN network is 10.4.2.0/24
Local network is 192.168.120.0/24

I have in my server config: push "route 192.168.120.0 255.255.255.0"

I auto-generated the firewall rules when setting up the VPN server. Here is what they show.

The Window 7 box that I am using for testing has it's firewall turned off.

Pinging the TrueNAS box at 192.168.120.10 through the VPN connection returns a "Request timed out" response.

I am guessing I have made a simple mistake somewhere, and that there is a routing issue that needs to be fixed. But can't seem to figure it out. Can someone give me a clue on what I should be looking for, or suggest additional diagnostics for me to try.

Thanks, Jeff

viragomann

@jeffboyce said in Connects to OpenVPN but can't ping LAN:

Pinging the TrueNAS box at 192.168.120.10 through the VPN connection returns a "Request timed out" response.

Consider that the device might block the access, cause the source IP is outside of its subnet.

jeffboyce

@viragomann So you are suggesting that there might be a firewall or possibly a network routing setting on the TrueNAS box that I need to change? I will start looking for something there.

Jeff

viragomann

@jeffboyce
That is the default behavior of network devices including NASs.

A simple check on pfSense: Diagnostic > Ping
Ping the NAS with default options. You should get responses.
Change the source to OpenVPN, which is outside the subnet. Now?

Of course, this all presumes that pfSense is the default gateway.

jeffboyce

@viragomann Yes, pfSense is the default gateway on the TrueNAS box.

This is getting weird now. Using the default diagnostic ping settings (source address automatically selected) to ping the host 192.168.120.10 (the TrueNAS box), I get a response of 0 packets received.

Changed the source address setting to LAN, and I get a similar response.

Not sure what is going on now. Pinging from .2 to .10 in the same subnet is not getting any response. Now I am stumped. Where should I look next.

Jeff

viragomann

@jeffboyce
By default pfSense chooses automatically the interface IP which is facing to the destination device as source IP.
Since your NAS is in your LAN subnet this should work at least with LAN, when it responses to ping generally. If not check the network settings on all involved devices.

jeffboyce

@viragomann Ok, I figure I had to have made an networking error somewhere between these two boxes, but I can't seem to find it looking at all the GUI's. I just powered down both boxes for a few minutes, then first powered on the gateway box (PCEngines APU4). After connecting my laptop to it to make sure it was fully up and functional, then I powered on the TrueNAS box.

Now from the gateway box (192.168.120.2) I get this :

Changing the source address to LAN, I get this :

Trying to ping back to the gateway from the TrueNAS box (192.168.120.10), I get this :

There is something messed up in the networking, but I can't seem to find it to be able to fix it.

Jeff

viragomann

@jeffboyce
Again, check the network settings on all involved interfaces for correct IP, mask and gateway.

On pfSense check Status > Interfaces. Possibly there are errors or collisions. Remember there must not be a gateway set on LAN.

Also check the settings on the NAS.

Do you see the NAS IP in Diagnostic > ARP on pfSense?

jeffboyce

@viragomann I think I may have solved it. Initial tests are positive, but want to do further diagnostics to be sure. Wanted to post what I found now so I don't forget.

I compared the ARP cache tables between the gateway and the TrueNAS box. Both tables showed the correct respective IP addresses for everything. However, in the gateway ARP table the MAC address for the TrueNAS box was incorrect (the IP address was correct). As soon as I deleted the listing in the gateway for the TrueNAS box that had the incorrect MAC address, I was able to ping both directions between the gateway and the TrueNAS box.

Thanks for your guidance. I figured it had to be something like this, it was just unfamiliar territory for me.

Jeff