Site-to-Site VPN - can't ping from one side to the other
-
I have setup a site-to-site VPN using OpenVPN on two Pfsense 2.0.1 routers.
I followed these guides:
This one first:
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)
Then this one to check myself:
http://blog.stefcho.eu/?p=576Some information:
"Server" network = 192.168.1.0/24
"Client" network = 192.168.2.0/24I can ping from 192.168.2.0/24 to any device on 192.168.1.0/24.
I cannot ping from 192.168.1.0/24 to any device 192.168.2.0/24.
I want to be able to ping devices on either side of the VPN.I have even tried to add a push "route 192.168.2.0 255.255.255.0"; on the 192.168.1.0/24 VPN "server", but no luck still.
What's going on?
-
i'm thinking your routes are fine. in my experience if you are able to ping in any direction –> routes are fine
i'm thinking a firewall rule is blocking on the 192.168.1.0 side of the vpn
enjoy
-
OpenVPN says the connection is up.
Also, I can use nslookup, switch to a DNS server on 192.168.1.0/24 and lookup records on that LAN fine. I can also access the pfsense admin console on 192.168.1.1 from a client on 192.168.2.0/24.Here are my firewall rules from pfsense on 192.168.1.1:
- <filter>- <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>icmp</protocol> -<source> <any>- <destination><network>wanip</network></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp</protocol> - <destination><address>192.168.0.2</address></destination> - <associated-rule-id>nat_4f9186728b5b94.48582549</associated-rule-id></any></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp</protocol> - <destination><address>192.168.1.116</address> <port>57030</port></destination> - <associated-rule-id>nat_4f9186ada4a717.67221852</associated-rule-id> <disabled></disabled></any></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp</protocol> - <destination><address>192.168.1.116</address> <port>47624</port></destination> - <associated-rule-id>nat_4f9186db5f3e11.56896932</associated-rule-id> <disabled></disabled></any></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp/udp</protocol> - <destination><address>192.168.1.116</address> <port>-100</port></destination> - <associated-rule-id>nat_4f918715118c26.90301933</associated-rule-id> <disabled></disabled></any></rule> - <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>udp</protocol> -<source> <any>- <destination><any><port>1194</port></any></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><type>pass</type> - <interface>lan</interface> -<source> <network>lan</network> - <destination><any></any></destination></rule> - <rule><id><type>pass</type> <interface>openvpn</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os>-<source> <any>- <destination><any></any></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><id><type>pass</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os>-<source> <network>opt1</network> - <destination><network>lan</network></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><id><type>block</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp</protocol> -<source> <any>- <destination><network>lan</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule></filter>
Here are the firewall rules on pfsense 192.168.2.1:
- <filter>- <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>icmp</protocol> -<source> <any>- <destination><network>wanip</network></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>udp</protocol> -<source> <any>- <destination><any><port>1194</port></any></destination> - <disabled></disabled></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><type>pass</type> - <interface>lan</interface> -<source> <network>lan</network> - <destination><any></any></destination></rule> - <rule><id><type>pass</type> <interface>openvpn</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os>-<source> <any>- <destination><any></any></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule></filter>
Do you need anything else to help me diagnose?
-
let me first say that i'm not really good at reading the xml as i generally use the webgui =)
but since following rule is the only block rule i can find:
<rule> <id><type>block</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp</protocol> -<source> <any>- <destination><network>lan</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id> </rule>
is opt1 an interface assigned to your openvpn ?
If yes, then you might consider changing the block from opt1 -> lan and see if that helps in any wayother then that, providing screenshots of routing table / firewall rules on useful tabs / drawing of network layout can all help to diagnose further
-
It's working fully now.
For some odd reason, I am unable to ping devices behind a ZyXEL HD Powerline networking device from the 192.168.1.0/24 subnet, but I can ping everything else on 192.168.2.0/24 from 192.168.1.0/24. I can ping all devices behind the ZyXEL device on the same subnet just fine.
I think I was trying to ping devices behind that ZyXEL and getting confused because it wouldn't ping.
Thanks for your efforts!