Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange ping on pfsense 2.0 openvpn

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 3 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      onkeldave83
      last edited by

      hello,

      i can only ping clients…..only clients with gateway and dns entry to pfsense

      clients with router entry are not pingable over vpn (ping with ips)

      but both are in the same network
      (i can ping in network from machine to machine, but not over vpn - there only clients with pfsense entries in gateway and dns)

      STRANGE!!!

      can someone explain me why?

      in pfsense 1.2.3 that was not a problem!

      thanks dave

      1 Reply Last reply Reply Quote 0
      • S
        SeventhSon
        last edited by

        I think standard everything is blocked on VPN interface, so if you want ping the computers, you have to allow ICMP on the interface.

        1 Reply Last reply Reply Quote 0
        • O
          onkeldave83
          last edited by

          i have enable any any any rule!

          and when….

          why i can only ping clients with configured gateway to pfsense (over vpn)??? ;)

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It is not strange that you can't ping something over a VPN that isn't using pfSense as its default gateway.

            Consider this:

            To: Client A -> VPN -> pfSense -> Server B
            From: Server B -> pfSense -> VPN -> Client A

            If pfSense is the gateway, the path back is clear. If Server B has a different gateway (Router C, say), it will not work:

            To: Client A -> VPN -> pfSense -> Server B
            From: Server B -> Router C -> ??? (Packet dropped or shoved out WAN without NAT)

            One way to solve this (obviously) is to make pfSense the gateway. The other way is to add a static route on Router C that points the subnet for VPN users/clients back to pfSense.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • O
              onkeldave83
              last edited by

              hmm ok

              you mean the route is missing….

              vpn-client1 (10.10.0.6/24) ------- internet router (192.168.10.1/24)---[10.10.0.1/24(ovpn1) pfsense 192.168.10.10/24 (lan)]–----network client1(192.168.10.101/24)
                                                                                                              192.168.10.9/24 (wan)                                         ------network client2(192.168.10.202/24)

              network-client1 have gateway and dns to pfsense (192.168.10.10)
              network-client2 have only ip and subnet

              ping only access with network-client1

              there is no other router!

              access ping only with gateway?
              i think no

              routes....you mean i have to configure a static route in internet router?

              thanks for help!

              1 Reply Last reply Reply Quote 0
              • O
                onkeldave83
                last edited by

                can someone please give me an example of routing in my structure?

                thanks

                1 Reply Last reply Reply Quote 0
                • S
                  SeventhSon
                  last edited by

                  Sorry, I can't make sense of your network diagram.

                  Might be a good idea to do some reading on default gateway, static routes and routing in general.

                  It boils down to this:
                  Anything on local subnet gets sent directly.
                  Anything matching the static routes (routing table), gets sent to respective gateway in routing table.
                  Everything else goes to default gateway.

                  The default gateway in turn does the same, so if it needs to reach a network not directly connected or not reachable through it's default gateway, you need a (static) route in the routing table.

                  1 Reply Last reply Reply Quote 0
                  • O
                    onkeldave83
                    last edited by

                    ok!

                    i know this is right!

                    Posted by: jimp
                    Insert Quote
                    It is not strange that you can't ping something over a VPN that isn't using pfSense as its default gateway.
                    
                    Consider this:
                    
                    To: Client A -> VPN -> pfSense -> Server B
                    From: Server B -> pfSense -> VPN -> Client A
                    
                    If pfSense is the gateway, the path back is clear. If Server B has a different gateway (Router C, say), it will not work:
                    
                    To: Client A -> VPN -> pfSense -> Server B
                    From: Server B -> Router C -> Huh (Packet dropped or shoved out WAN without NAT)
                    
                    One way to solve this (obviously) is to make pfSense the gateway. The other way is to add a static route on Router C that points the subnet for VPN users/clients back to pfSense.
                    

                    but i took the second router away from network!

                    now, it gives only clients with gateway to pfsense and clients with no gateway (this clients need no internet) and even so i can only ping machines with gateway to pfsense :( !

                    WHY?

                    i think openvpn in pfsense 2.0 makes,
                    (when i configure openvpn with "remote access ssl/tls", "Local Network 192.168.10.0/24" and "Allow communication between clients connected to this server" )
                    the local network = vpntunnel, so that i can ping from my machine (local 192.168.1.2/24 and tunnel ip 10.10.0.6/24) everyone in local network behind the tunnel (192.168.10.0/24)

                    it makes no senns :(

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      They must have a gateway or you cannot reach them over the VPN.

                      Not without some extra NAT going on anyhow.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • O
                        onkeldave83
                        last edited by

                        can i make some modifaction in nat from pfsense to make it work?

                        or is the only solution bridging in vpn?
                        or can bridging the ovpns1 interface to make possible?

                        thanks for help jimp!!!

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Bridging is ugly and really isn't needed.

                          Firewall > NAT, Outbound NAT tab
                          Switch to manual outbound NAT, press save.
                          Add a rule, interface is LAN, source address would be your VPN subnet. Destination would be your LAN subnet, translation address would be 'Interface Address'.

                          That should be enough

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.