Site to Site unable to connect remote LAN



  • Hi All,

    I've just started using pfSense days ago and trying to configure a site to site connection using OpenVPN and shared key. After few days of configuration, most of the items had been successful. Sites connects, able to ping fine. However I am stucked at the next step. I am trying to get my local LAN from SiteA(server) to be able to connect to LAN at site B(client). From a PC in local LAN A, i able able to

    1. ping site B pfsense
    2. connect to site B pfsense web interface using LAN B address.

    However, I am having issues connecting to to any other addresses in LAN B from the PC in my LAN A. No ping response as well. A few notes:

    1. Site A pfSense is able to ping any PC in Site B LAN
    2. Site B pfSense receive firewall logs when Site A PC is pinging any PC in Site B LAN.

    I am thinking it maybe NAT issues, not sure if I make myself clear here.. any leads will be nice! thanks in advance!!



  • you are either missing routes for both of your lans or the firewall is blocking.

    try to post back a routing table + schematic of your network
    also see in you firewall logs if anything is blocked that shouldnt be



  • Hi Heper,

    Thanks for the response. My network construct as such:
    Site A                  Site A pfSense    Site B pfSense      Site B
    192.168.0.0/24 ->  192.168.0.254 -> 10.0.0.254        -> 10.0.0.0/16

    Tunnel Network: 192.168.100.0/30

    Routing table from Site A PC:
    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      192.168.0.1  192.168.0.244      30
            10.0.0.0      255.255.0.0    192.168.0.254  192.168.0.244      1
            127.0.0.0        255.0.0.0        127.0.0.1      127.0.0.1      1
          192.168.0.0    255.255.255.0    192.168.0.244  192.168.0.244      30
        192.168.0.244  255.255.255.255        127.0.0.1      127.0.0.1      30
        192.168.0.255  255.255.255.255    192.168.0.244  192.168.0.244      30
        192.168.100.0  255.255.255.240    192.168.0.254  192.168.0.244      1
            224.0.0.0        240.0.0.0    192.168.0.244  192.168.0.244      30
      255.255.255.255  255.255.255.255    192.168.0.244  192.168.0.244      1

    When I do a traceroute using Site A PC to 10.0.0.254:
    Tracing route to 10.0.0.254 over a maximum of 30 hops

    1    1 ms    <1 ms    <1 ms  192.168.0.254
      2    21 ms    37 ms    20 ms  10.0.0.254

    Trace complete.

    When I do a traceroute using Site A PC to an IP in Site B:
    Tracing route to 10.0.0.12 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  192.168.0.254
      2    35 ms    21 ms    24 ms  192.168.100.2
      3    *        *        *    Request timed out.
      4    *        *        *    Request timed out.
      5    *        *        *    Request timed out.

    I've checked the firewall of pfSense in SiteB, it allowed and logged the traceroute above from Site A PC to Site B PC, just the request timed out. Under the firewall log, the incoming ip is tagged as 192.168.0.11(my Site A PC)

    If i use pfSense in SiteA to ping/trace to any PCs in Site B, it works just as fine.



  • It is better if you paste the routing table of both pfsense boxes. In the other hand, did you write the correct values Of the Local network and remote network, under the tunnel settings in the server and client configuration?



  • yes the tunnel network are fine. also sincemy SiteA pfSense is able to ping everything in SiteB, I am sure the vpn is working fine. Just that the workstations in SiteA are unable to ping Site B workstations.

    Here are the routing tables:
    Routing table of Site A pfSense
    default 192.168.0.1 UGS 0 77702 1500 le0
    10.0.0.0/16 192.168.100.2 UGS 0 1856 1500 ovpns1
    127.0.0.1 link#4 UH 0 250 16384 lo0
    192.168.0.0/24 link#1 U 0 129154 1500 le0
    192.168.0.254 link#1 UHS 0 9 16384 lo0
    192.168.100.1 127.0.0.1 UH 0 0 16384 lo0
    192.168.100.2 link#8 UH 0 31741 1500 ovpns1

    Routing table of Site B pfSense
    Destination Gateway Flags Refs Use Mtu Netif Expire
    default 10.0.0.13 UGS 0 76104 1500 em0
    10.0.0.0/16 link#1 U 0 97658 1500 em0
    10.0.0.254 link#1 UHS 0 0 16384 lo0
    127.0.0.1 link#3 UH 0 147 16384 lo0
    192.168.0.0/24 192.168.100.1 UGS 0 2443 1500 ovpnc1
    192.168.100.1 link#7 UH 0 31244 1500 ovpnc1
    192.168.100.2 link#7 UHS 0 0 16384 lo0



  • Hi,

    I am able to resolve the problem. Just to list here so it may help out others meeting with same issues. As mentioned, pfSense's firewall in SiteB is capturing the local LAN PC address from SiteA when attempting to ping or connect. What I thought is it should be reflecting SiteA's pfSense tunnel network address.

    What I did is to go to SiteA pfSense firewall, change to Manual NAT and add in a NAT rule for OpenVPN interface. Afterwhich, in SiteB pfSense firewall, it reflects SiteA's pfSense tunnel address when SiteA PC trying to connect. Upon doing this, the connection is established successfully.



  • i'm not sure if i'm reading this correctly but …. am i correctly interpreting that your WAN connection on pfsense-A is also on the 192.168.0.0/24 subnet ?

    if yes then you should investigate that... same subnet on LAN & WAN + vpn might be a problem



  • @itanis:

    What I did is to go to SiteA pfSense firewall, change to Manual NAT and add in a NAT rule for OpenVPN interface. Afterwhich, in SiteB pfSense firewall, it reflects SiteA's pfSense tunnel address when SiteA PC trying to connect. Upon doing this, the connection is established successfully.

    This means you have a routing problem. It's a work around, but generally you don't want to NAT in that scenario, and it will break some things (MS file sharing and related MS protocols generally the only thing, they can't be NATed).



  • Indeed it is a routing problem. In pfsense A you have this:

    default   192.168.0.1   UGS   0   77702   1500   le0

    And in pfsense B:

    default   10.0.0.13   UGS   0   76104   1500   em0

    This means that your WAN connections are in the same subnets than both pfsense LANS. So you should change your choice of IP range for your both LANS.



  • actually my WAN interface is disabled. the default route is what I put in my LAN interface as the gateway. Both the pfSense are not the main gateway of the network. does this still applies? Not sure if it invites much issues if I put it in this way



  • @itanis:

    actually my WAN interface is disabled. the default route is what I put in my LAN interface as the gateway. Both the pfSense are not the main gateway of the network.

    There's your problem. You need a route back to the VPN in whatever is the default gateway, and depending on what is the default gateway, there may be other considerations like not trying to statefully filter the asymmetrically routed traffic, or not using devices like a Cisco PIX that can't route traffic back out the same interface it comes in on, amongst other possible routing or filtering difficulties inherent in such a setup.



  • Thanks cmb. Given my network setup:

    LAN A – pfSense A -- Gateway(Router) ----<internet>---- Gateway(Firewall) ---- pfSense B -- LAN B

    So I came with the thought, I do not need WAN IP in both pfSense. Thus I set default gateway in pfSense A/B with the internet gateway in order to get internet connection. For this, both pfSense A/B are only with LAN ip and without WAN ip.

    Given this, I setup openvpn site to site with pfSense A and B. Which for sure default route(internet) will not be the VPN. Even though so far my NAT is giving 0 issues, I also want to take the chance to understand what is a more proper setup(which may benefits others as well), in this case is the routing issue so does that necessarily means if I set a default route or static route in pfSense B back to VPN gateway it will work?</internet>



  • You need a static route in your gateway on each side. On LAN A side, a route on gateway pointing LAN B subnet to pfSense A's IP. Same flipping the sides on the other end.



  • This make alot of sense. The key is the default gateway here I guess instead of pfSense in this setup. I'll give it a shot, its very beneficial. Thanks again.



  • Yeah the default gateway has to know how to reach that remote network.


Log in to reply