Site to Site, connection established, but cannot ping or connect remote machines



  • I followed the post here pretty much exactly, only changing my ip schemes. I'm getting connected, and I can ping the server's lan ip from my remote network, but that's it, no other ips can be reached. The server does have a FW rule to allow UDP on 1194 on WAN, and there's another FW rule to allow EVERYTHING  on OpenVPN.

    I know this has got to be something simple, a route I've missed or a FW rule, but I just don't see it. Any ideas?

    Server network: 10.241.136.0/24
    Server lan ip: 10.241.136.3
    Client1 network: 192.168.168.0/24
    OpenVPN: 10.0.8.0/24



  • Make sure you have the appropriate 'allow OVPN' rules created on both ends of the connection.  I think this is what ended up being the cause of similar problems I had when I got our p2p OVPN  going.



  • I did not have the 'allow everything on ovpn' rule on my client side. I just added it and still have similar results.

    The odd bit for me is that I can ping the lan interface ip of the server just fine from the remote client, but no other ips.



  • Does your other devices have correct gateway information?
    Are you sure, that other end does allow pinging from another subnet?



  • @Metu69salemi:

    Does your other devices have correct gateway information?
    Are you sure, that other end does allow pinging from another subnet?

    Other devices? I'm pinging from a Windows 7 pc behind the remote site, it hits the server LAN ip just fine, just not any of the other ips, which are the same subnet as the server lan ip. I assuming since it's letting me ping that ip, I should be able to get to the rest as well.






  • @Ghlave:

    I followed the post here pretty much exactly, only changing my ip schemes. I'm getting connected, and I can ping the server's lan ip from my remote network, but that's it, no other ips can be reached. The server does have a FW rule to allow UDP on 1194 on WAN, and there's another FW rule to allow EVERYTHING  on OpenVPN.

    I know this has got to be something simple, a route I've missed or a FW rule, but I just don't see it. Any ideas?

    Server network: 10.241.136.0/24
    Server lan ip: 10.241.136.3
    Client1 network: 192.168.168.0/24
    OpenVPN: 10.0.8.0/24

    So you can ping your server hooray, but what are those other devices what you can't ping?
    And does those other unpingable devices have correct gateway information?
    And have you tested any other means connectivity than ping? Because sometimes Antivirus softwares and such can block ping from another subnet.

    Have you any other subnet on remote-site where you need to connect? then solution might be simple push "route …..." on server config
    Have you started openvpn-client with admin rights?



  • @Metu69salemi:

    So you can ping your server hooray, but what are those other devices what you can't ping?
    And does those other unpingable devices have correct gateway information?
    And have you tested any other means connectivity than ping? Because sometimes Antivirus softwares and such can block ping from another subnet.

    Have you any other subnet on remote-site where you need to connect? then solution might be simple push "route …..." on server config
    Have you started openvpn-client with admin rights?

    Specifically, I can't ping 10.241.136.10, which is my DC. It is normally pingable, I have setup openvpn on untangle previously and I could get to it just fine. I've also tried some random desktops. I have the firewalls so they will allow it and AV as well.

    All of the PCs on the server network have a gateway of 10.241.136.1, which is our untangle box (both untangle and the pfsense box I've put in have separate internet exposed ips, as I'm trying to get off of untangle on onto pfsense).  I remoted to my personal laptop and removed the gateway of 10.241.136.1 to see if there would be an effect, and had no luck.



  • Server network: 10.241.136.0/24
    Server lan ip: 10.241.136.3
    Client1 network: 192.168.168.0/24
    OpenVPN: 10.0.8.0/24

    I think you mean that the pfSense LAN IP is 10.241.136.3 - in that case it will return ping because it knows the routing correctly back to client1 network.
    Your DC and PCs on 10.241.136.0/24 need to know how to route to 192.168.168.0/24 - those packets have to go to your pfSense on 10.241.136.3, but they are going to your untangle router on 10.241.136.1.
    For interim trials, you need to add a route in untangle that says 192.168.168.0/24 next hop 10.241.136.3
    When you make your pfSense the main router, then the default route on the 10.241.136.0/24 DC and PCs need to be changed to 10.241.136.3 (or turn off untangle and change pfSense to 10.241.136.1). And for ordinary PCs, use DHCP on pfSense and they get their settings automatically.



  • Phil make it earlier.

    Problem itself is that remote-end clients have no way to know correct route and untangle's config has not been revealed.



  • @phil.davis:

    I think you mean that the pfSense LAN IP is 10.241.136.3 - in that case it will return ping because it knows the routing correctly back to client1 network.
    Your DC and PCs on 10.241.136.0/24 need to know how to route to 192.168.168.0/24 - those packets have to go to your pfSense on 10.241.136.3, but they are going to your untangle router on 10.241.136.1.
    For interim trials, you need to add a route in untangle that says 192.168.168.0/24 next hop 10.241.136.3
    When you make your pfSense the main router, then the default route on the 10.241.136.0/24 DC and PCs need to be changed to 10.241.136.3 (or turn off untangle and change pfSense to 10.241.136.1). And for ordinary PCs, use DHCP on pfSense and they get their settings automatically.

    You hit the nail on the head. I got into work this morning, and I changed my laptop's gateway to 10.241.136.3, and I could ping back and forth to all clients.



  • End of the day, your gateway was "wrong"


Log in to reply