Strange ping on pfsense 2.0 openvpn



  • hello,

    i can only ping clients…..only clients with gateway and dns entry to pfsense

    clients with router entry are not pingable over vpn (ping with ips)

    but both are in the same network
    (i can ping in network from machine to machine, but not over vpn - there only clients with pfsense entries in gateway and dns)

    STRANGE!!!

    can someone explain me why?

    in pfsense 1.2.3 that was not a problem!

    thanks dave



  • I think standard everything is blocked on VPN interface, so if you want ping the computers, you have to allow ICMP on the interface.



  • i have enable any any any rule!

    and when….

    why i can only ping clients with configured gateway to pfsense (over vpn)??? ;)


  • Rebel Alliance Developer Netgate

    It is not strange that you can't ping something over a VPN that isn't using pfSense as its default gateway.

    Consider this:

    To: Client A -> VPN -> pfSense -> Server B
    From: Server B -> pfSense -> VPN -> Client A

    If pfSense is the gateway, the path back is clear. If Server B has a different gateway (Router C, say), it will not work:

    To: Client A -> VPN -> pfSense -> Server B
    From: Server B -> Router C -> ??? (Packet dropped or shoved out WAN without NAT)

    One way to solve this (obviously) is to make pfSense the gateway. The other way is to add a static route on Router C that points the subnet for VPN users/clients back to pfSense.



  • hmm ok

    you mean the route is missing….

    vpn-client1 (10.10.0.6/24) ------- internet router (192.168.10.1/24)---[10.10.0.1/24(ovpn1) pfsense 192.168.10.10/24 (lan)]–----network client1(192.168.10.101/24)
                                                                                                    192.168.10.9/24 (wan)                                         ------network client2(192.168.10.202/24)

    network-client1 have gateway and dns to pfsense (192.168.10.10)
    network-client2 have only ip and subnet

    ping only access with network-client1

    there is no other router!

    access ping only with gateway?
    i think no

    routes....you mean i have to configure a static route in internet router?

    thanks for help!



  • can someone please give me an example of routing in my structure?

    thanks



  • Sorry, I can't make sense of your network diagram.

    Might be a good idea to do some reading on default gateway, static routes and routing in general.

    It boils down to this:
    Anything on local subnet gets sent directly.
    Anything matching the static routes (routing table), gets sent to respective gateway in routing table.
    Everything else goes to default gateway.

    The default gateway in turn does the same, so if it needs to reach a network not directly connected or not reachable through it's default gateway, you need a (static) route in the routing table.



  • ok!

    i know this is right!

    Posted by: jimp
    Insert Quote
    It is not strange that you can't ping something over a VPN that isn't using pfSense as its default gateway.
    
    Consider this:
    
    To: Client A -> VPN -> pfSense -> Server B
    From: Server B -> pfSense -> VPN -> Client A
    
    If pfSense is the gateway, the path back is clear. If Server B has a different gateway (Router C, say), it will not work:
    
    To: Client A -> VPN -> pfSense -> Server B
    From: Server B -> Router C -> Huh (Packet dropped or shoved out WAN without NAT)
    
    One way to solve this (obviously) is to make pfSense the gateway. The other way is to add a static route on Router C that points the subnet for VPN users/clients back to pfSense.
    

    but i took the second router away from network!

    now, it gives only clients with gateway to pfsense and clients with no gateway (this clients need no internet) and even so i can only ping machines with gateway to pfsense :( !

    WHY?

    i think openvpn in pfsense 2.0 makes,
    (when i configure openvpn with "remote access ssl/tls", "Local Network 192.168.10.0/24" and "Allow communication between clients connected to this server" )
    the local network = vpntunnel, so that i can ping from my machine (local 192.168.1.2/24 and tunnel ip 10.10.0.6/24) everyone in local network behind the tunnel (192.168.10.0/24)

    it makes no senns :(


  • Rebel Alliance Developer Netgate

    They must have a gateway or you cannot reach them over the VPN.

    Not without some extra NAT going on anyhow.



  • can i make some modifaction in nat from pfsense to make it work?

    or is the only solution bridging in vpn?
    or can bridging the ovpns1 interface to make possible?

    thanks for help jimp!!!


  • Rebel Alliance Developer Netgate

    Bridging is ugly and really isn't needed.

    Firewall > NAT, Outbound NAT tab
    Switch to manual outbound NAT, press save.
    Add a rule, interface is LAN, source address would be your VPN subnet. Destination would be your LAN subnet, translation address would be 'Interface Address'.

    That should be enough


Locked