Can't access remote network through OpenVPN with allow all firewall rules everywhere.
-
@skysurf76 said in Can't access remote network through OpenVPN with allow all firewall rules everywhere.:
Now to see if its getting passed in the security camera network allow all rule...
The rule there would have nothing to do with it.. You could have zero rules on that interface..
Sniff (packet capture under diagnostices) do you see that traffic to 10.10.10.20:80 when you try and talk to that camera from your vpn - since your seeing it in the vpn rules.
Another problem could be your mask is wrong on the cameras? And they think 10.10.50 and 10.10.10 are the same network, so they never send the return traffic back to pfsense, ie say the mask on the cameras were 255.255.0.0 vs 255.255.255.0
Sniff on the camera interface will tell you for sure if traffic is being sent to the camera and they are just not answering.
-
@johnpoz ANNNNND I solved it. I changed the intermediate OpenVPN network from 10.10.50.0/24 to 192.168.50.0/24. 10.10.50.0/24 didn't overlap with any other networks on either end of the tunnel. No idea why it didn't work? Bug?
-
@skysurf76 they don't overlap but the mask on the camera could be wrong? Did you manually set the mask on the camera or is via dhcp?
-
@johnpoz Yep. I just checked. You got me. Damnit! LOL Rookie mistake.
Oh well, all's well that ends well. I appreciate the help!
-
@skysurf76 glad you got it sorted.. Everyone makes typo's - problem also is some of these devices auto fill in the mask for you, I think windows defaults to a freaking /8 when you start the IP with a 10 ;)
-
@johnpoz Yeah I'm going through all the cameras now, and it looks like they have all 255.255.0.0. I can't believe I missed that when I was putting IPs on them. Also I can't believe they would default to a /16 mask.
-
@skysurf76 yeah look at windows - just validated it uses a freaking /8
-
@johnpoz The ironic part is I'm normally a 192 guy, but I didn't want any collisions when I VPNed into the location this thread is about, so I made that location all 10's. Technically I believe that even though 10 is a private range, its still a class A(/8). And 192 is class C(/24).
Doesn't matter how much you know though, the gremlins always come. :)
-
@skysurf76 classes haven't been a thing for like 30 years, ever since cidr came out - believe 1993, classes are no longer really even a thing ;)
But yeah they come up still..
-
@johnpoz Your last post made me feel so old.
Also that the fact somehow in the bowels of mind I know that CIDR means classless inter-domain routing....I think lol.
-
@skysurf76 dude we get old, not feeling it is the secret... The sad part is 30 years ago really doesn't seem like that long ago.. Doesn't seem like that long ago I was running around adding co processors to the pc at the job, and installing tcp/ip via a floppy into windows hehehe
