Lan client computers do not ping

jucelio_rosa

Hello .

I've set up a site-to-site VPN, but I can't ping computers on the client's lan network.

On the server, I correctly configured the ip of the remote lan network. Rules were created releasing the icmp protocol
on the lan interface, on the wan interface and on the openvpn interface of the client server.

Does anyone know what the problem could be?

johnpoz

@jucelio_rosa common user error is forgetting host firewalls, which normally default to blocking stuff like a ping from some unknown network.

jucelio_rosa

@johnpoz I thought about this hypothesis, however, I found it strange that no host ping

johnpoz

@jucelio_rosa strange about what..

I have some device on site A 192.168.1.42 that goes through a vpn to ping some box 192.168.2.24..

Why would the host firewall running on 192.168.2.24 default to allow 192.168.1.42 to ping it?? Its not on the 192.168.2/24 network, etc..

Windows firewall for sure defaults blocking icmp from non local networks..

This for sure is like the number 1 reason for what you describe as your problem - just read the boards, this same exact question comes up like every other day.. I setup a vpn and can not ping box over the vpn..

jucelio_rosa

@johnpoz I understood.
At the moment I'm at the company's headquarters (where I have the firewall server) and my boss is at the branch company, where we have the firewall client.
I already asked him to check the windows firewalls on the client computers.

jucelio_rosa

@johnpoz When we noticed the problem, I looked at the settings and realized that on the server I had misconfigured the ip of the remote network.
I fixed it, restarted the service, but the problem persists.
Do you think restarting the firewall client can solve this?

johnpoz

@jucelio_rosa said in Lan client computers do not ping:

I already asked him to check the windows firewalls on the client computers.

Most of the time users of computers have no clue how to do that - even if they are the boss ;)

This takes 2 seconds to troubleshoot.. Why don't you just sniff on your pfsense for your sites - do you see the traffic going across them?.

jucelio_rosa

@johnpoz said in Lan client computers do not ping:

Most of the time users of computers have no clue how to do that - even if they are the boss ;)
This takes 2 seconds to troubleshoot.. Why don't you just sniff on your pfsense for your sites - do you see the traffic going across them?.

My friend, you are right.
Disabling windows firewall ping worked. Thank you very much.
Do you know what rule I need to create in the Windows firewall so that I can leave it active and at the same time the ping works correctly?

johnpoz

@jucelio_rosa ping while nice to test connectivity - you prob need to allow for whatever it is you actually want to do to this machine across the vpn.

I personally don't see why user in site A should need to talk to user machine in site B, I could see a file server or something... But why should users in A talk to users in B machines directly? Just seems like way for ransomware to spread if you ask me..

jucelio_rosa

@johnpoz It would be because of a software configuration.

Thank you very much for your attention. Now everything is ok.