Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Site-to-Site: Packet forwarding on client side

    OpenVPN
    2
    3
    1390
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tuxcore last edited by

      Hi everyone,

      I'm hoping someone can shed some light on this issue.

      Current setup with both sides running pfSense 2.0.1-RELEASE in Peer to Peer PSK mode.

      Server:
      Tunnel: 10.0.200.0/24
      Local: 10.0.0.0/20
      Remote: 192.168.2.0/24

      Client (behind NAT, single nic):
      Tunnel: 10.0.200.0/24
      Remote: 10.0.0.0/20

      I can ping from pfSense on client side (192.168.2.108) to all hosts on server side (10.0.0.1 and 10.0.0.2).
      I can ping from pfSense on client side (192.168.2.108) to client side host (192.168.2.1).
      I can ping from a host on the client side (192.168.2.80) to hosts on the server side (10.0.0.1 and 10.0.0.2).
      I can ping from pfSense on server side (10.0.0.1) to the pfSense box on the client side (192.168.2.108).

      The problem is that I cant ping from pfSense on server side (10.0.0.1) to any other hosts on the client side, for example 192.168.2.1.

      I ran a packet capture on the client side on the OpenVPN interface, here are the results:
      17:10:17.898363 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 0, length 64
      17:10:18.899479 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 1, length 64
      17:10:19.901020 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 2, length 64
      17:10:20.902220 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 3, length 64
      17:10:21.903220 IP 10.0.200.1 > 192.168.2.1: ICMP echo request, id 49121, seq 4, length 64

      Same situation with pings from 10.0.0.2:
      17:09:27.896900 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 834, length 40
      17:09:32.645533 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 835, length 40
      17:09:37.646175 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 836, length 40
      17:09:42.653778 IP 10.0.0.2 > 192.168.2.1: ICMP echo request, id 1, seq 837, length 40

      Is there a setting I need to change to enable forwarding between the OpenVPN interface and em0 on the client side pfSense box?

      Any pointers anyone can give on this issue would be very welcome, I thought this would 'just-work' :)

      Thanks

      1 Reply Last reply Reply Quote 0
      • H
        heper last edited by

        check the firewall rules on the lan tab on the server side …

        you need a PASS rule in it to the destination subnet (can be ANY) that does not specify a specific gateway-(group).

        1 Reply Last reply Reply Quote 0
        • T
          tuxcore last edited by

          I ended up reinstalling pfSense on the client side and testing with all packet filtering disabled, everything then started working as expected.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post