Pfsense 2.0-RC3: OpenVPN Road Warrior - Can't ping beyond PfSense Internal IP
Had pfsense 1.2.3 working for as long as I can remember. I've installed 2.0 and am having issues with openVPN road warrior setup. The VPN connects. I can ping Pfsense's internal IP but I cannot ping other LAN Ips. Here is the setup
Public IP: x.x.x.1
Internal IP: 192.168.1.1
Pfsense IP: y.y.y.1
Internal IP: 192.168.1.21
The internal IP of Pfsense Box and the Cisco Router are in the same network. The WAN IPs for Pfsense and Cisco router are different.
I want to connect to the internal LAN from the Pfsense box. OpenVPN connects successfully. I can ping 192.168.1.21 which is Pfsense's internal IP. However, from there I cannot ping 192.168.1.1 or the mail server or any other IP in that network.
How can I resolve that? Is it some firewall issue? NAT? Am stuck. Please assist.
Anyone with some idea on how it can be done?
What is the default gw of your LAN? 1.1?
Thanks for the response & sorry for the late reply - I hadn't ticked to be notified when there is a reply (Now I have!)
For the LAN PCs, the default gateway is 192.168.1.1
Well since your gateway is not the pfsense (openvpn connection) how does your cisco route back to the IP address of the openvpn client?
What ip range are you handing out to your openvpn clients?
So for example my openvpn clients get a 10.0.200.0/24 address – how would your clients respond if they saw a ping from 10.0.200.5? Well thats not on their network so they would send to gateway at 192.168.1.1, so what would cisco box do with traffic for 10.0.200.5 ??
if you want other devices on your network to be able to talk to devices on the other end of the tunnel, you have to correctly route that traffic -- ie your other devices need to know how to get to that network.
You can ping the lan ip of your pfsense box, because he knows about the route down the openvpn tunnel
Now Im not sure that your remote client would even use its tunnel IP as the source. It may very well use its own IP, so what if that IP was in the same network as your network (192.168.1.0/24) -- your .5 box is just going to put the response back on the wire - its never going to go back down the tunnel on the pfsense box.
What if say 172.16.14.23 -- where would your mail box send traffic that was from that IP ;)
Reloded, johnpoz is correct. What you need to do is to add a route statement on your cisco device to route your vpn_clientP_subnet to the pfsense box. The reason your client can ping 192.168.1.21 only is because your the default the route on your pfsense is back to the internet.
add this command to your cisco box
ip route vpn_client_subnet vpn_client_subnet_mask 192.168.1.21
and it should work.
So here you go sometimes pictures are worth a 1,000 words.
So I connected in from work to my home openvpn running on pfsense.
I then did a remote desktop to a box on my home network at 192.168.1.100, And did quick sniff of the icmp traffic – as you can see when I ping it from my work openvpn connected box that got an IP address of 10.0.200.6
The box your pinging would need to know how to get back to that 10.0.200.6 address, in my case since pfsense is gateway for the 192.168.1.100 box sends the response back to the pfsense box (gateway) and pfsense routes it down the tunnel.
But in your case it would send it to your cisco device.