• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

ICMP through OpenVPN

Scheduled Pinned Locked Moved OpenVPN
6 Posts 3 Posters 6.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tyns
    last edited by Jan 15, 2007, 4:45 PM

    I am in testing stages of doing Site to Client implementation of OpenVPN that is built into PFSense.  I am absolutely amazed at how well PFSense performs (great work).

    I am having a slight issue however, perhaps there is something small I am missing.

    I have a separate gateway on my lan that is at 10.100.251.2.  When I set up a PPTP Server and connect to the PPTP Server, this gateway is completely accessible.  I even have static routes in PFSense that go through this gateway.  It work like magic.

    However,  When I set-up OpenVPN,  I can ping and connect to every machine on the lan except this gateway.  I have ruled it down possibly to the fact that ICMP is not properly being ported through to this gateway.

    There is no way to directly configure OpenVPN in the Firewall rules, as there is with PPTP.

    Is this a known issue with OpenVPN or PFSense?

    I would really like to start using OpenVPN as I plan to do site-to-site bridging with it to our other offices.

    Again, a great piece of software, thank you kindly for all your hard work.

    1 Reply Last reply Reply Quote 0
    • H
      Helix26404
      last edited by Jan 16, 2007, 2:39 AM

      There IS a way to directly configure OpenVPN firewall rules, but it's not widely known nor talked about. It's through the LAN interface.

      Make a firewall rule on the LAN interface that is specific to this particular situation and put it on top. See if that helps.

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by Jan 16, 2007, 2:47 AM

        @Helix26404:

        There IS a way to directly configure OpenVPN firewall rules, but it's not widely known nor talked about. It's through the LAN interface.

        Make a firewall rule on the LAN interface that is specific to this particular situation and put it on top. See if that helps.

        Most likely because that only handles one side of the conversation.  We do not talk about it because its not a real fix.

        Unless you control both ends of the tunnel you will feel secure but the oppisite is true.  Therefore we simply say there is no firewall rules possible on 1.0 across OpenVpn and IPSEC tunnels, but, we are working on this.

        1 Reply Last reply Reply Quote 0
        • T
          tyns
          last edited by Jan 16, 2007, 9:03 PM

          thanks for the suggestion…

          I gave it a try, but no luck... Essentially the "Default --> LAN any"  should be sufficient to pass this rule along to the OpenVPN, shouldn't it?

          It is good to know that OpenVPN rules are a planned feature!

          I will have to wait till this is implemented.. PPTP should be sufficient for my companies laptop users right now.

          Unless, there is some other suggestion..

          Thanks.

          1 Reply Last reply Reply Quote 0
          • H
            Helix26404
            last edited by Jan 17, 2007, 5:39 AM

            I couldn't use the Default -> LAN any, because I am using Outbound NAT. Therefore, I had to explicitly tell pfSense to pass traffic from any source to my destination network (the pfSense interface network) using it's own routing table (choose default on the gateway drop-down).

            1 Reply Last reply Reply Quote 0
            • H
              Helix26404
              last edited by Jan 17, 2007, 5:44 AM

              @sullrich:

              @Helix26404:

              There IS a way to directly configure OpenVPN firewall rules, but it's not widely known nor talked about. It's through the LAN interface.

              Make a firewall rule on the LAN interface that is specific to this particular situation and put it on top. See if that helps.

              Most likely because that only handles one side of the conversation.  We do not talk about it because its not a real fix.

              Unless you control both ends of the tunnel you will feel secure but the oppisite is true.  Therefore we simply say there is no firewall rules possible on 1.0 across OpenVpn and IPSEC tunnels, but, we are working on this.

              Gotcha. So this is why anyone in the remote network can access anything in the local network (pfSense-side if we're assuming it's the server) provided the routes are set up correctly on the client-side.

              I was racking my brain trying to figure out why I could get traffic IN through the tun0 interface, but I couldn't get OUT unless I was using the pfSense box itself. At first I thought it was a route issue, but then realized that the firewall was locking it down. Setting up explicit rules permitting traffic from any source to destination OPVN interface and destination OPVN remote network did the trick.

              Thanks for the elaboration from the "inside". :)

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received