[solved] OpenVPN WinXP clients connects, but no LAN access



  • Several days reading through forum posts and testing of various modifications but still no access to the LAN behind a pfsense 2.0 (Alix2D13) box.
    Situation: The Open VPN client on a WinXP notebook connects fine with pfsense 2.0 box and gets an IP 192.168.2.6 but the LAN attached to the PFsense box is not accessible.

    The setup:
    In front of the Pfsense box is a Router with integrated VDSL modem and static IP 192.168.0.1. This VDSL-router provides the outside WAN connection via PPPoe and DHCP is off.  For OpenVPN the VDSL-router forwards port 80 to port 1194 on the WAN port of the pfsense box. The WAN port on the pfsense box has a static IP 192.168.0.2. The Openvpn client connects via normal http (port 80) to the external WAN and via port forwarding reaches the OpenVPN server on the PFsense box. The connection comes up okay. From the WinXP client  the  pfsense box with static IP address 192.168.1.3 can be reached ok - DHCP server active.   The pfsense GUI is accessible from the client. The LAN address on the pfsense box is defined as std. gateway for all the local LAN clients.

    The problem: A PC with IP 192.168.1.10 on the LAN can't be reached.
    However it is possible to ping in the other direction from a LAN-PC (192.168.1.10) to the connected OpenVPn client (192.168.2.6).

    In the OpenVPN server the specified address pool is 192.168.2.0/24 and local net 192.168.1.0/24.  The OpenVPN setup has been arranged through the wizard in pfsense 2.0.

    In the OpenVPN Server setup form - When the option box "Redirect Gateway o Force all client generated traffic through the tunnel" is checked
    it is possible to ping in addition the IP's on the pfsense WAN/gateway. That is 192.168.0.1 - The VDSL router attached to the pfsense, and the pfsense WAN port itself -192.168.0.2 , but still no access to PC's on the LAN.
    All firewall rules look good (as per Setup from the wizard). Testing some other rules and playing around with extra "OpenVPn"-interfaces and bridges without any good effect.

    The routing table of the WinXp client looks good too. The two routers seem to work ok too.
    In the pfsense routes table there is the OpenVPN server with the IP 192.168.2.1. This can be "pinged" too.

    OpenVPN client (WinXP) Routing Table, (without local host routes)

    Destination Address Destination Mask    Next Hop            IF Index  Metric    Persistent
    0.0.0.0             0.0.0.0             192.168.11.1        0x3       20        
    192.168.1.0         255.255.255.0       192.168.2.5         0x4       1        
    192.168.2.0         255.255.255.0       192.168.2.5         0x4       1        
    192.168.2.4         255.255.255.252     192.168.2.6         0x4       30        
    192.168.2.255       255.255.255.255     192.168.2.6         0x4       30        
    192.168.11.0        255.255.255.0       192.168.11.10       0x3       20        
    192.168.11.255      255.255.255.255     192.168.11.10       0x3       20        
    224.0.0.0           240.0.0.0           192.168.2.6         0x4       30        
    224.0.0.0           240.0.0.0           192.168.11.10       0x3       20        
    255.255.255.255     255.255.255.255     192.168.2.6         0x2       1        
    255.255.255.255     255.255.255.255     192.168.2.6         0x4       1        
    255.255.255.255     255.255.255.255     192.168.11.10       0x3       1

    And this is the routing table from the pfsense box
    Destination Gateway Flags Refs Use Mtu Netif Expire
    default 192.168.0.1 UGS 0 7309 1500 vr1
    127.0.0.1 link#6 UH 0 47 16384 lo0
    192.168.0.0/24 link#2 U 0 67285 1500 vr1
    192.168.0.2 link#2 UHS 0 0 16384 lo0
    192.168.1.0/24 link#1 U 0 539292 1500 vr0
    192.168.1.3 link#1 UHS 0 0 16384 lo0
    192.168.2.0/24 192.168.2.2 UGS 0 79 1500 ovpns1
    192.168.2.1 link#12 UHS 0 0 16384 lo0
    192.168.2.2 link#12 UH 0 0 1500 ovpns1
    195.50.140.114 192.168.0.1 UGHS 0 20 1500 vr1
    195.50.140.178 192.168.0.1 UGHS 0 0 1500 vr1

    The routes table on the local LAN PC looks good too. An optional transfer of a extra static route by the Pfsense DHCP server via option code 33 to the LAN client does not improve the situation either.

    Solution:
    After seeing with Wireshark that the LAN PC receives the ping request just fine, but does not respond to it, I found that the Windows 7 firewall settings did prevent a response.  After changing the firewall settings on the LAN PC all was fine and communication from the VPN client to the LAN PC was possible.
    Changes to W7 firewall rules: http://www.fixya.com/support/r5359816-allow_ping_icmp_echo_request_windows_7

    Just 4 nights of frustration to find this problem.  >:(


Log in to reply