Can't reach a specific IP address
-
Assumption: Somewhere in the bowels of pfSense there is a setting that says "route all packets intended for Palmetto over OpenVPN".
Questions: Where would I find this setting? Why would it have spontaneously changed over Xmas weekend?
If anyone has any suggestions as to where I might look, I would be much obliged.If there is such a setting its because you activated it through your own configuration setting.
Based on the evidence you have given you have come to the wrong conclusion. In particular you say that when you try to ping Palmetto from the laptop there are no packets with the Palmetto address in the tcpdump. This means pfSense isn't receiving the packets destined for Palmetto so of course it isn't forwarding them!
The routing is broken on the laptop.The VPN adds another factor to the problem bust since you haven't given any information about it other than to mention there is a VPN I can't take it into account. I think you should really to try to understand why the VPN is in the configuration before you attempt to recreate it.
Wild speculation: When connected directly to the internet the laptop is able to create a VPN that enables it to get to Palmetto. When connected to pfSense the laptop can't establish the VPN so "falls back" to attempting to connect with Palmetto over the only operating interface - the LAN.
-
Well, this is the first we are hearing that openvpn is involved. One smoking gun is a host on the LAN subnet trying to ARP for a remote host. That is most likely the root of the problem. As to why, dunno.
That's because it's the first time I had any idea that OpenVPN had anything to do with it. I use OpenVPN on every pfSense box I set up - including my home router, from behind which I'm typing this. In fact, I use the same configuration (except for certificates, of course) for all my clients (except the ones who need to use PPTP from multiple hosts, in which case I use Endian.) I've never seen anything like this before, nor heard of it.
Any ideas on how I could track down which host is "volunteering" to ARP? Of course I can go to the office and unplug machines from the network one by one, but if there's a more sophisticated way to find the answer…
-
Assumption: Somewhere in the bowels of pfSense there is a setting that says "route all packets intended for Palmetto over OpenVPN".
Questions: Where would I find this setting? Why would it have spontaneously changed over Xmas weekend?
If anyone has any suggestions as to where I might look, I would be much obliged.If there is such a setting its because you activated it through your own configuration setting.
Based on the evidence you have given you have come to the wrong conclusion. In particular you say that when you try to ping Palmetto from the laptop there are no packets with the Palmetto address in the tcpdump. This means pfSense isn't receiving the packets destined for Palmetto so of course it isn't forwarding them!
The routing is broken on the laptop.The VPN adds another factor to the problem bust since you haven't given any information about it other than to mention there is a VPN I can't take it into account. I think you should really to try to understand why the VPN is in the configuration before you attempt to recreate it.
Wild speculation: When connected directly to the internet the laptop is able to create a VPN that enables it to get to Palmetto. When connected to pfSense the laptop can't establish the VPN so "falls back" to attempting to connect with Palmetto over the only operating interface - the LAN.
It seems to me that you answer my posts without reading them. It seems only fair that I should read yours, and not answer it.
-
Just to follow up in case anyone else ever has a similar problem: I added a static route, thusly:
Interface Network Gateway Description
WAN 216.251.231.64/32 (our gateway) Palmetto
and now my users can reach the Palmetto website. This static route is the same as the default route, so I don't really understand why it's necessary… but it works.