Can't access LAN from WAN
-
Peterclo,
Did you get a chance to look at this …
http://www.uplinksecurity.de/data/pfsense-ovpn.pdfIt is very well written.
I only have one rules in my firewall to opne 1194 to vpn clients.
WAN RULE
UDP * * * 1194 * OPEN VPN -
Absolutely, that's the tutorial I followed to set up my VPN, it's indeed very nice.
Thank you for your answer regarding the firewall rules, I was wondering if I had forgotten something there.
Do your clients also get a 255.255.255.252 netmask?
-
Peterclo,
Ok I just went and tryed my openVPN and I am having the same issues you are.
I upgraded yesterday and I guess hadn't tryed it since then.
It worked without any issues with RC3 and now that I am at 1.0 it does not work.
I get connected but can't get anywhere, I also get the 255.255.255.252 mask.
Either something needs to be changed when going from RC3 to 1.0 or there is an issue with 1.0.
SFM
-
You can't imagine how relieved I am. Well, no, not really, I'd prefer it if it worked :p I hope the issue can be resolved now that we're both having problems here.
-
My firewall logs show TUN0 being blocked.
Oct 18 10:26:35 TUN0 10.0.0.134:2650 10.0.0.10:139 TCP
Oct 18 10:26:35 TUN0 10.0.0.134:2649 10.0.0.10:445 TCP
Oct 18 10:26:29 TUN0 10.0.0.134:2650 10.0.0.10:139 TCP
Oct 18 10:26:29 TUN0 10.0.0.134:2649 10.0.0.10:445 TCP
Oct 18 10:26:26 TUN0 10.0.0.134:2650 10.0.0.10:139 TCP
Oct 18 10:26:26 TUN0 10.0.0.134:2649 10.0.0.10:445 TCP
Oct 18 10:26:14 TUN0 10.0.0.134:2648 10.0.0.10:80 TCP
Oct 18 10:26:08 TUN0 10.0.0.134:2648 10.0.0.10:80 TCP
Oct 18 10:26:05 TUN0 10.0.0.134:2648 10.0.0.10:80 TCP
Oct 18 10:25:53 TUN0 10.0.0.134:2645 10.0.0.10:139 TCP
Oct 18 10:25:53 TUN0 10.0.0.134:2644 10.0.0.10:445 TCP
Oct 18 10:25:47 TUN0 10.0.0.134 10.0.0.10 ICMP
Oct 18 10:25:47 TUN0 10.0.0.134:1030 10.0.0.10:53 TCP
Oct 18 10:25:47 TUN0 10.0.0.134:2645 10.0.0.10:139 TCP
Oct 18 10:25:47 TUN0 10.0.0.134:2644 10.0.0.10:445 TCP
Oct 18 10:25:46 TUN0 10.0.0.134:1030 10.0.0.10:53 TCP
Oct 18 10:25:44 TUN0 10.0.0.134:2645 10.0.0.10:139 TCP
Oct 18 10:25:44 TUN0 10.0.0.134:2644 10.0.0.10:445 TCP -
Ah I get things like this :
Oct 18 17:59:24 NG0 84.97.e.f:24846 86.71.g.h:52272 UDP
Oct 18 17:59:22 NG0 84.97.e.f:24846 86.71.g.h:52272 UDP
Oct 18 17:57:16 NG0 86.71.a.b:3571 86.71.a.c:135 TCP
Oct 18 17:57:16 NG0 86.71.a.b:3563 86.71.a.c:445 TCP -
cheers,
first off, i have 1.0 running for road warriors & site-to-site and both tunnels
work as supposed, so i don't think it's a pfsense problem.Question, the LAN servers you want to ping, do they have the
pfsense as gateway? If you are testing and a second gateway
is available this could be the problem (i encountered that, because
i forgot to change the gateway of one of my LAN boxes).On one of your LAN servers and road warrior please show me "netstat -r".
Also, please install a "any, any, any, …" testing-rule for both WAN and LAN
to ensure it is not the firewall.Reboot the box once after that and try again.
Do your clients also get a 255.255.255.252 netmask?
yep, that's ok.
-
Hey dairaen!
He he, that was it, and as I thought it was just me being stupid: the computer I was trying to ping was using our current router as a gateway and not my precious new pfsense box :) No wonder the poor packets didn't know how to find things :)
Thanks a lot for your help and the great tutorial you wrote! Maybe you could add a "Beware of your gateway" line in the section where you're supposed to test your new VPN tunnel?
I hope SFM has the same happy ending :)
-
Dairaen,
thanks for helping me figure this out.I was using the pfsense as gateway on lan server to answer that question.
What I was doing in previous versions is pushing the local network with Wins and Dns servers.
This worked without any issues.When I upgraded to 1.0 this no longer worked…......
After putting the local network in the proper location in the vpn server config and deleting it as a push everything works.
It also worked if I added (push "redirect-gateway def1") and left my config as it was. Only proplem with this is I do not want clients using it as there default gateway.
-
Maybe you could add a "Beware of your gateway" line in the section where you're supposed to test your new VPN tunnel?
done ;)