Site-to-Site VPN - can't ping from one side to the other



  • I have setup a site-to-site VPN using OpenVPN on two Pfsense 2.0.1 routers.
    I followed these guides:
    This one first:
    http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)
    Then this one to check myself:
    http://blog.stefcho.eu/?p=576

    Some information:
    "Server" network = 192.168.1.0/24
    "Client" network = 192.168.2.0/24

    I can ping from 192.168.2.0/24 to any device on 192.168.1.0/24.
    I cannot ping from 192.168.1.0/24 to any device 192.168.2.0/24.
    I want to be able to ping devices on either side of the VPN.

    I have even tried to add a push "route 192.168.2.0 255.255.255.0"; on the 192.168.1.0/24 VPN "server", but no luck still.

    What's going on?



  • i'm thinking your routes are fine. in my experience if you are able to ping in any direction –> routes are fine

    i'm thinking a firewall rule is blocking on the 192.168.1.0 side of the vpn

    enjoy



  • OpenVPN says the connection is up.
    Also, I can use nslookup, switch to a DNS server on 192.168.1.0/24 and lookup records on that LAN fine. I can also access the pfsense admin console on 192.168.1.1 from a client on 192.168.2.0/24.

    Here are my firewall rules from pfsense on 192.168.1.1:

    
    - <filter>- <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>icmp</protocol> -<source> <any>- <destination><network>wanip</network></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp</protocol> - <destination><address>192.168.0.2</address></destination> - <associated-rule-id>nat_4f9186728b5b94.48582549</associated-rule-id></any></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp</protocol> - <destination><address>192.168.1.116</address>
    
     <port>57030</port></destination> - <associated-rule-id>nat_4f9186ada4a717.67221852</associated-rule-id> <disabled></disabled></any></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp</protocol> - <destination><address>192.168.1.116</address>
    
     <port>47624</port></destination> - <associated-rule-id>nat_4f9186db5f3e11.56896932</associated-rule-id> <disabled></disabled></any></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp/udp</protocol> - <destination><address>192.168.1.116</address>
    
     <port>-100</port></destination> - <associated-rule-id>nat_4f918715118c26.90301933</associated-rule-id> <disabled></disabled></any></rule> - <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>udp</protocol> -<source> <any>- <destination><any><port>1194</port></any></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><type>pass</type> - <interface>lan</interface> -<source> <network>lan</network>  - <destination><any></any></destination></rule> - <rule><id><type>pass</type> <interface>openvpn</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os>-<source> <any>- <destination><any></any></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><id><type>pass</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os>-<source> <network>opt1</network>  - <destination><network>lan</network></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><id><type>block</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp</protocol> -<source> <any>- <destination><network>lan</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule></filter> 
    

    Here are the firewall rules on pfsense 192.168.2.1:

    
    - <filter>- <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>icmp</protocol> -<source> <any>- <destination><network>wanip</network></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>udp</protocol> -<source> <any>- <destination><any><port>1194</port></any></destination> - <disabled></disabled></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><type>pass</type> - <interface>lan</interface> -<source> <network>lan</network>  - <destination><any></any></destination></rule> - <rule><id><type>pass</type> <interface>openvpn</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os>-<source> <any>- <destination><any></any></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule></filter> 
    

    Do you need anything else to help me diagnose?



  • let me first say that i'm not really good at reading the xml as i generally use the webgui =)

    but since following rule is the only block rule i can find:

     <rule> <id><type>block</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp</protocol> -<source> <any>- <destination><network>lan</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id> </rule> 
    

    is opt1 an interface assigned to your openvpn ?
    If yes, then you might consider changing the block from opt1 -> lan and see if that helps in any way

    other then that, providing screenshots of routing table / firewall rules on useful tabs / drawing of network layout can all help to diagnose further



  • It's working fully now.

    For some odd reason, I am unable to ping devices behind a ZyXEL HD Powerline networking device from the 192.168.1.0/24 subnet, but I can ping everything else on 192.168.2.0/24 from 192.168.1.0/24. I can ping all devices behind the ZyXEL device on the same subnet just fine.

    I think I was trying to ping devices behind that ZyXEL and getting confused because it wouldn't ping.

    Thanks for your efforts!


Locked