Site-to-Site: Packet forwarding on client side
-
Hi everyone,
I'm hoping someone can shed some light on this issue.
Current setup with both sides running pfSense 2.0.1-RELEASE in Peer to Peer PSK mode.
Server:
Tunnel: 10.0.200.0/24
Local: 10.0.0.0/20
Remote: 192.168.2.0/24Client (behind NAT, single nic):
Tunnel: 10.0.200.0/24
Remote: 10.0.0.0/20I can ping from pfSense on client side (192.168.2.108) to all hosts on server side (10.0.0.1 and 10.0.0.2).
I can ping from pfSense on client side (192.168.2.108) to client side host (192.168.2.1).
I can ping from a host on the client side (192.168.2.80) to hosts on the server side (10.0.0.1 and 10.0.0.2).
I can ping from pfSense on server side (10.0.0.1) to the pfSense box on the client side (192.168.2.108).The problem is that I cant ping from pfSense on server side (10.0.0.1) to any other hosts on the client side, for example 192.168.2.1.
I ran a packet capture on the client side on the OpenVPN interface, here are the results:
17:10:17.898363 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 0, length 64
17:10:18.899479 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 1, length 64
17:10:19.901020 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 2, length 64
17:10:20.902220 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 3, length 64
17:10:21.903220 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 4, length 64Same situation with pings from 10.0.0.2:
17:09:27.896900 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 834, length 40
17:09:32.645533 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 835, length 40
17:09:37.646175 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 836, length 40
17:09:42.653778 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 837, length 40Is there a setting I need to change to enable forwarding between the OpenVPN interface and em0 on the client side pfSense box?
Any pointers anyone can give on this issue would be very welcome, I thought this would 'just-work' :)
Thanks
-
check the firewall rules on the lan tab on the server side …
you need a PASS rule in it to the destination subnet (can be ANY) that does not specify a specific gateway-(group).
-
I ended up reinstalling pfSense on the client side and testing with all packet filtering disabled, everything then started working as expected.