Routing and Ping issue

  • Dear Forum,

    I have a couple of problems and I am hoping that I perhaps overlooked something.  The following diagram details my present configuration.

    Hosts A, B, and C are now running pfSense 2.0.1-RELEASE (i386).
    Hosts D and E are running some version of the DD-WRT firmware that have clients for both pptp and OpenVPN networks.

    The Win7 computer is my main workstation.  I am presently using Host D to obtain connectivity to network via pptp with Host B as the server.  This functionality does not seem possible with pfSense as Host D, but I want to get rid of pptp all together in either case.
    When I enabled the OpenVPN Server on Host B in either Remote Access (SSL/TLS) or Peer to Peer (SSL/TLS) mode; I cannot route traffic from the onto  For example, if I jump onto the Slack ware machine (, I cannot ping Node100 (  On a site to site setup I am not able to ping from either machine to the other.  After much reading and exhaustive amount of Google searching, I found someone with a similar problem.  There is OpenVPN connectivity and one can ping from within the pfSense hosts onto each other’s tunnel end point IP, but pinging behind from the clients onto other clients on the remote network is impossible.  I e-mailed the individual and his response was that he had these issues because he was running IPsec and OpenVPN on the same host.  This gave me a clue as Host B is running a PPTP server.  So for the time being, I have decided not to use Host B for anything other than PPTP.  I would like to use Host B with just OpenVPN but I have to wait until I am certain I can migrate other networks not shown in my diagram to this infrastructure.

    For now, I have decided to use Host A as an OpenVPN Server as well.  Here is where my present problems begin.

    1.)   I cannot seem to figure out how to configure Host C as an OpenVPN Client to Host A and route traffic onto the network for all gateway client devices of Host C.  I do not want to set this up as a site-to-site vpn.  This approach did work, but this is sort of a template for others who will be using the same approach and I do not want routes to their networks nor should I need to know anything about their local IP addressing scheme.  Incidentally, when I did have it working with a the site to site pki vpn, I was not able to ping

    2.) I was able to implement this feature for Hosts D and E with one minor problem.  Again I can connect to the network, but I cannot ping host  I am not certain as to why.  If I change the vpn type to a pptp on Host D or E, then everything works as expected.  If I ssh onto Node100, I am then able to ping and even ssh into

    Using the CONFERENCEPC, I am able to ping and perform traceroutes to, but not

    Tracing route to over a maximum of 30 hops
      1    <1 ms    <1 ms    <1 ms  CEARCONFERENCE []
      2     2 ms     1 ms     1 ms
    Tracing route to over a maximum of 30 hops
      1    <1 ms    <1 ms    <1 ms  CEARCONFERENCE []
      2     2 ms     1 ms     1 ms
      3     2 ms     1 ms     1 ms
    Tracing route to over a maximum of 30 hops
      1    <1 ms    <1 ms    <1 ms  CEARCONFERENCE []
      2     2 ms     1 ms     1 ms
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.
      5     *        *        *     Request timed out.
      6     *        *     ^C

    3.)   Finally, I do have one question and please forgive my ignorance on this, but what are the advantages of adding user authentication along with PKI?



    HOST A Firewall Rules

    HOST A OpenVPN Server Config

    HOST B Firewall Rules

    HOST C Firewall Rules

    HOST C OpenVPN Client Config

    HOST D OpenVPN Client Config

  • I have solved one issue.  To get Host C to route over OpenVPN for the network I had to go to make changes in the outbound tab (Firewall->NAT->Outbound).  I changed it to manual and added an OpenVPN rule.

    However the issue were I can not pint from the network remains.  I believe this is probably due to some pfsense setting on that particular box.  Although I am not sure what else to move since I have already removed  "Block private networks" (Interfaces->WAN).

    Another issue that has since developed, is that I am sometimes able to ping and sometimes not if I turn on an OpenVPN Server on HOST C.

    For Instance if I am on any of the the computers on , I can ping,,, and

    If I then go to (VPN->OpenVPN-Server) and I enable the server. I will sometimes lose pings to some of the IPs , but it's not permanent.  Randomly, they some times work.  If I keep trying to ping them at different times some IPs will reply.  During this setup however I can still SSH into any of those machines.  Which means OpenVPN is still sort of working.  There is nothing special about my server config, I did use a different tunnel network, Diffrent CA and certificates.  This is my personal office network that I would sometimes like to access when I am somewhere else.

Log in to reply