Can't access LAN from WAN

peterclo

Hi,

I've set up a pfsense box with loadbalanced dual WAN and OpenVPN (thanks to dairaen for his OpenVPN tutorial). The loadbalancer is working nicely and I can connect my OpenVPN clients to pfsense through the WAN link. The OpenVPN logs don't show any error. My LAN is a 192.168.1.0/24 network with a 192.168.1.253 interface and my OpenVPN clients get addresses in the network 192.168.192.0/24 when they connect through the WAN interface (OPT1 is not used for OpenVPN).

Here are some of the lines showing up in the OpenVPN logs on a client, I added push statements for domain and DNS:

Wed Oct 18 10:15:29 2006 us=32874 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DOMAIN corp,dhcp-option DNS 192.168.1.1 ,dhcp-option DNS 192.168.1.253 ,route 192.168.192.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.192.6 192.168.192.5'
Wed Oct 18 10:15:29 2006 us=95149 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.192.6/255.255.255.252 on interface {880FF45C-8D5C-464D-ACDE-F5CEE9341558} [DHCP-serv: 192.168.192.5, lease-time: 31536000]
Wed Oct 18 10:15:29 2006 us=148585 Successful ARP Flush on interface [4] {880FF45C-8D5C-464D-ACDE-F5CEE9341558}
Wed Oct 18 10:15:29 2006 us=198034 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Oct 18 10:15:29 2006 us=198073 Route: Waiting for TUN/TAP interface to come up…
Wed Oct 18 10:15:30 2006 us=280375 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Oct 18 10:15:30 2006 us=280414 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 18 10:15:31 2006 us=358444 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Oct 18 10:15:31 2006 us=358482 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 18 10:15:32 2006 us=436768 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Oct 18 10:15:32 2006 us=436806 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 18 10:15:33 2006 us=515009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Oct 18 10:15:33 2006 us=515047 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 18 10:15:34 2006 us=593062 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Wed Oct 18 10:15:34 2006 us=593112 route ADD 192.168.1.0 MASK 255.255.255.0 192.168.192.5
Wed Oct 18 10:15:34 2006 us=597957 Route addition via IPAPI succeeded
Wed Oct 18 10:15:34 2006 us=597994 route ADD 192.168.192.0 MASK 255.255.255.0 192.168.192.5
Wed Oct 18 10:15:34 2006 us=602787 Route addition via IPAPI succeeded
Wed Oct 18 10:15:34 2006 us=602818 Initialization Sequence Completed

Here are my firewall rules on LAN:

| Proto | Source | Port | Destination | Port | Gateway | Description |
| * | LAN net | * | * | * | LBtoWANs | |
| * | LAN net | * | * | * | * | Default LAN -> any |

and on WAN:

| Proto | Source | Port | Destination | Port | Gateway |
| UDP | * | * | * | 1695 | * |
| TCP | * | * | * | 443 (HTTPS) | * |

So my problem is that my clients can ping the 192.168.192.1 IP and the 192.168.1.253 IP (LAN interface) but not the other computers located on the LAN.

I'm obviously missing something really simple and I've been trying to find an answer on the forums but so far I haven't found it. Can someone help me on this please?

Excuse me for my ignorance, I'm pretty new at this :)

Oh and to the pfsense team: keep up the great work!

awestwell

Check you netmask on your interfaces … If they are wrong you wont be able to access machine located in that interface

-Ashley

peterclo

OK, my 192.168.1.0 LAN netmask is 255.255.255.0, but how come the OpenVPN server gives a 192.168.192.6/255.255.255.252 adress/netmask to my client? I set up the address pool as 192.168.192.0/24 in the OpenVPN settings.

SFM

I have openvpn running on release 1.0 with no issues.

Maybe try retyping the pool address and saving.
Or
Deleting the openvpn server and creating it again.

peterclo

OK I use 1.0 too. I noticed that I can't delete the default VPN tunnel, and when I edit it, enter details and save it creates a second VPN tunnel while leaving the default one (with empty fields, empty certificates, etc). Don't know if it's an issue, I remember having this same "bug" in RC2-3

I changed the pool to another network then used 192.168.192.0/24 again but it didn't solve the problem.

I deleted my VPN tunnel then recreated it. When I reconnected my client the logs showed that it was still getting the old VPN tunnel details (push, etc). I then rebooted pfsense and my new VPN tunnel didn't appear. I recreated the tunnel and rebooted pfsense again, and then the tunnel appeared. This is probably normal behavior though, maybe mentionning it here will help another newbie ;)

I got the same result though, I can ping 192.168.192.1 and 192.168.1.253 (LAN interface) but no other IP.

I see in the logs a route is added (route ADD 192.168.1.0 MASK 255.255.255.0 192.168.192.5) but I can't ping the 192.168.192.5 IP which, I take it, is a kind of virtual gateway attributed by pfsense (it also acts as DHCP server)?

SFM > did you have to add any firewall rule that I didn't add (cf my original post) or anything else on pfsense?

SFM

Peterclo,

Did you get a chance to look at this …
http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

It is very well written.

I only have one rules in my firewall to opne 1194 to vpn clients.

WAN RULE
UDP  *  *  *  1194  *  OPEN VPN

peterclo

Absolutely, that's the tutorial I followed to set up my VPN, it's indeed very nice.

Thank you for your answer regarding the firewall rules, I was wondering if I had forgotten something there.

Do your clients also get a 255.255.255.252 netmask?

SFM

Peterclo,

Ok I just went and tryed my openVPN and I am having the same issues you are.

I upgraded yesterday and I guess hadn't tryed it since then.

It worked without any issues with RC3 and now that I am at 1.0 it does not work.

I get connected but can't get anywhere, I also get the 255.255.255.252 mask.

Either something needs to be changed when going from RC3 to 1.0 or there is an issue with 1.0.

SFM

peterclo

You can't imagine how relieved I am. Well, no, not really, I'd prefer it if it worked :p I hope the issue can be resolved now that we're both having problems here.

SFM

My firewall logs show TUN0 being blocked.

Oct 18 10:26:35 TUN0 10.0.0.134:2650 10.0.0.10:139 TCP
Oct 18 10:26:35 TUN0 10.0.0.134:2649 10.0.0.10:445 TCP
Oct 18 10:26:29 TUN0 10.0.0.134:2650 10.0.0.10:139 TCP
Oct 18 10:26:29 TUN0 10.0.0.134:2649 10.0.0.10:445 TCP
Oct 18 10:26:26 TUN0 10.0.0.134:2650 10.0.0.10:139 TCP
Oct 18 10:26:26 TUN0 10.0.0.134:2649 10.0.0.10:445 TCP
Oct 18 10:26:14 TUN0 10.0.0.134:2648 10.0.0.10:80 TCP
Oct 18 10:26:08 TUN0 10.0.0.134:2648 10.0.0.10:80 TCP
Oct 18 10:26:05 TUN0 10.0.0.134:2648 10.0.0.10:80 TCP
Oct 18 10:25:53 TUN0 10.0.0.134:2645 10.0.0.10:139 TCP
Oct 18 10:25:53 TUN0 10.0.0.134:2644 10.0.0.10:445 TCP
Oct 18 10:25:47 TUN0 10.0.0.134 10.0.0.10 ICMP
Oct 18 10:25:47 TUN0 10.0.0.134:1030 10.0.0.10:53 TCP
Oct 18 10:25:47 TUN0 10.0.0.134:2645 10.0.0.10:139 TCP
Oct 18 10:25:47 TUN0 10.0.0.134:2644 10.0.0.10:445 TCP
Oct 18 10:25:46 TUN0 10.0.0.134:1030 10.0.0.10:53 TCP
Oct 18 10:25:44 TUN0 10.0.0.134:2645 10.0.0.10:139 TCP
Oct 18 10:25:44 TUN0 10.0.0.134:2644 10.0.0.10:445 TCP

peterclo

Ah I get things like this :

Oct 18 17:59:24  NG0  84.97.e.f:24846  86.71.g.h:52272  UDP
Oct 18 17:59:22 NG0 84.97.e.f:24846 86.71.g.h:52272 UDP
Oct 18 17:57:16  NG0  86.71.a.b:3571  86.71.a.c:135  TCP
Oct 18 17:57:16 NG0 86.71.a.b:3563 86.71.a.c:445 TCP

dairaen

cheers,

first off, i have 1.0 running for road warriors & site-to-site and both tunnels
work as supposed, so i don't think it's a pfsense problem.

Question, the LAN servers you want to ping, do they have the
pfsense as gateway? If you are testing and a second gateway
is available this could be the problem (i encountered that, because
i forgot to change the gateway of one of my LAN boxes).

On one of your LAN servers and road warrior please show me "netstat -r".

Also, please install a "any, any, any, …" testing-rule for both WAN and LAN
to ensure it is not the firewall.

Reboot the box once after that and try again.

Do your clients also get a 255.255.255.252 netmask?

yep, that's ok.

peterclo

Hey dairaen!

He he, that was it, and as I thought it was just me being stupid: the computer I was trying to ping was using our current router as a gateway and not my precious new pfsense box :) No wonder the poor packets didn't know how to find things :)

Thanks a lot for your help and the great tutorial you wrote! Maybe you could add a "Beware of your gateway" line in the section where you're supposed to test your new VPN tunnel?

I hope SFM has the same happy ending :)

SFM

Dairaen,
thanks for helping me figure this out.

I was using the pfsense as gateway on lan server to answer that question.

What I was doing in previous versions is pushing the local network with Wins and Dns servers.
This worked without any issues.

When I upgraded to 1.0 this no longer worked…......

After putting the local network in the proper location in the vpn server config and deleting it as a push everything works.

It also worked if I added (push "redirect-gateway def1") and left my config as it was. Only proplem with this is I do not want clients using it as there default gateway.

dairaen

Maybe you could add a "Beware of your gateway" line in the section where you're supposed to test your new VPN tunnel?

done ;)