Site-to-Site: Packet forwarding on client side



  • Hi everyone,

    I'm hoping someone can shed some light on this issue.

    Current setup with both sides running pfSense 2.0.1-RELEASE in Peer to Peer PSK mode.

    Server:
    Tunnel: 10.0.200.0/24
    Local: 10.0.0.0/20
    Remote: 192.168.2.0/24

    Client (behind NAT, single nic):
    Tunnel: 10.0.200.0/24
    Remote: 10.0.0.0/20

    I can ping from pfSense on client side (192.168.2.108) to all hosts on server side (10.0.0.1 and 10.0.0.2).
    I can ping from pfSense on client side (192.168.2.108) to client side host (192.168.2.1).
    I can ping from a host on the client side (192.168.2.80) to hosts on the server side (10.0.0.1 and 10.0.0.2).
    I can ping from pfSense on server side (10.0.0.1) to the pfSense box on the client side (192.168.2.108).

    The problem is that I cant ping from pfSense on server side (10.0.0.1) to any other hosts on the client side, for example 192.168.2.1.

    I ran a packet capture on the client side on the OpenVPN interface, here are the results:
    17:10:17.898363 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 0, length 64
    17:10:18.899479 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 1, length 64
    17:10:19.901020 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 2, length 64
    17:10:20.902220 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 3, length 64
    17:10:21.903220 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 4, length 64

    Same situation with pings from 10.0.0.2:
    17:09:27.896900 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 834, length 40
    17:09:32.645533 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 835, length 40
    17:09:37.646175 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 836, length 40
    17:09:42.653778 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 837, length 40

    Is there a setting I need to change to enable forwarding between the OpenVPN interface and em0 on the client side pfSense box?

    Any pointers anyone can give on this issue would be very welcome, I thought this would 'just-work' :)

    Thanks



  • check the firewall rules on the lan tab on the server side …

    you need a PASS rule in it to the destination subnet (can be ANY) that does not specify a specific gateway-(group).



  • I ended up reinstalling pfSense on the client side and testing with all packet filtering disabled, everything then started working as expected.


Log in to reply