Why can I not reach my clients from the LAN?



  • Still chasing this problem … a client connects and can successfully use LAN resources (eg, 10.16.23.99), but from the LAN cannot connect to the client's IP (eg, 10.16.2.6).  Would like to be able to SSH to the client machine.

    It seems like this should "just work" but traffic from the LAN gets to the pfSense and goes no further.

    
    pfSense shell: print_r($config['openvpn']);
    pfSense shell: exec
    Array
    (
        [openvpn-server] => Array
            (
                [0] => Array
                    (
                        [vpnid] => 1
                        [mode] => server_tls_user
                        [authmode] => Local Database
                        [protocol] => TCP
                        [dev_mode] => tun
                        [ipaddr] =>
                        [interface] => wan
                        [local_port] => 443
                        [description] => Datacenter01
                        [custom_options] =>
                        [tls] => Iw0K....0tLQ0K
                        [caref] => 520.....f8ff
                        [crlref] => 521.....2d904
                        [certref] => 520.......2ed4
                        [dh_length] => 1024
                        [cert_depth] => 1
                        [strictusercn] =>
                        [crypto] => AES-256-CBC
                        [engine] => none
                        [tunnel_network] => 10.16.2.0/24
                        [remote_network] =>
                        [gwredir] =>
                        [local_network] => 10.16.23.0/24
                        [maxclients] => 16
                        [compression] =>
                        [passtos] =>
                        [client2client] => yes
                        [dynamic_ip] => yes
                        [pool_enable] => yes
                        [dns_domain] => a01.example.com
                        [dns_server1] => 10.16.23.1
                        [dns_server2] =>
                        [dns_server3] =>
                        [dns_server4] =>
                        [ntp_server1] => 10.16.23.1
                        [ntp_server2] =>
                        [netbios_enable] =>
                        [netbios_ntype] => 0
                        [netbios_scope] =>
                    )
    
            )
    
    


  • You are right - It should just work.

    What is your Client?  Might it be a firewall issue on the client end?

    I'm running a typical road-warrior config. on my home network.

    I allow interclient comms, I route all traffic through VPN - I do supply DNS Default Domain.



  • Client is a mac running Viscosity with the firewall configured to allow port 80 and 22 from anywhere.
    From the pfSense, when the client is connected I can hit the HTTPd on the tun IP:

    
    [2.0.3-RELEASE][root@pfSense.a01.example.com]/root(15): fetch -o - http://10.16.2.10
    -                                             100% of   44  B  596 kBps
    
    # It works!
    
    

    However, from another machine on the LAN I can't reach that address (and the pfSense is the LAN default gw).

    It appears this is something to do with routing rather than the OpenVPN configuration.  Makes me wonder how pfSense is supposed to get traffic to 10.16.2.10 via 10.16.2.2.

    
    [2.0.3-RELEASE][root@pfSense.a01.example.com]/root(16): netstat -rnfinet | grep 10.
    10.16.2.0/24       10.16.2.2          UGS         0     3484 ovpns1
    10.16.2.1          link#7             UHS         0        0    lo0
    10.16.2.2          link#7             UH          0        0 ovpns1
    10.16.23.0/24      link#1             U           0  9529256    em0
    10.16.23.1         link#1             UHS         0        0    lo0
    
    


  • Well - For me, it just works.

    Are you exporting your configuration via client export package or manually finger poking it?

    (assuming you don't have overlapping network subnets, this should also just work for you)



  • I'm exporting it with the client export utility.  The client config looks like this:

    
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote 66.77.67.200 443 tcp
    tls-remote pfSense-cert
    auth-user-pass
    pkcs12 pfSense-TCP-443-jg3.p12
    tls-auth pfSense-TCP-443-jg3-tls.key 1
    
    

    I'll note that this firewall was installed fresh on 2.0.3, no upgrade to get here.



  • Firewalls on the client?



  • see reply #2 ?



  • I don't know - Using a windows machine with similar system ping and SSH both work.



  • Do you have any firewall rules with policy-routing on LAN? Those might be forcing new flows initiated from LAN down a real WAN. But to get to the OpenVPN clients pfSense needs to just give the packet/flow to the ordinary routing for delivery.
    Or a firewall rule on LAN that ends up blocking traffic to the OpenVPN tunnel network?


  • Banned

    Do you have latest version of Viscosity installed?


  • LAYER 8 Global Moderator

    Are you doing something weird with your nats?  Are you setup for automatic or manual?

    That route looks correct to me.  If your clients are 10.16.2.0/24

    What does traceroute from lan box to vpn client do?  your lan boxes are pointing to this pfsense box as their default gateway? And what is the mask on the lan clients?  You don't have a overlapping network do you where the lan clients think 10.16.2 is local to their connection?



  • @phil.davis:

    Do you have any firewall rules with policy-routing on LAN? Those might be forcing new flows initiated from LAN down a real WAN. But to get to the OpenVPN clients pfSense needs to just give the packet/flow to the ordinary routing for delivery.
    Or a firewall rule on LAN that ends up blocking traffic to the OpenVPN tunnel network?

    Thanks for the help.  I understand what you're saying, but it seems like "pfSense … just giv[ing] the packet/flow to the ordinary routing for delivery" is not happening for some reason.

    I don't have any policy-routing at all.

    My firewall rules are all very simple:

    • Allow anything from the LAN outbound (Default LAN to any rule)

    • Allow anything from anywhere on the OpenVPN rule tab (Default OpenVPN wizard rule)

    WAN rules don't apply in this case, but they are:

    • allow traffic for one port in to a 1:1 NAT'ed host
    • allow traffic in to the firewall IP on TCP:443 for OpenVPN


  • @doktornotor:

    Do you have latest version of Viscosity installed?

    Yes.  1.4.4.



  • @johnpoz:

    Are you doing something weird with your nats?  Are you setup for automatic or manual?

    That route looks correct to me.  If your clients are 10.16.2.0/24

    What does traceroute from lan box to vpn client do?  your lan boxes are pointing to this pfsense box as their default gateway? And what is the mask on the lan clients?  You don't have a overlapping network do you where the lan clients think 10.16.2 is local to their connection?

    I have automatic NAT.    LAN hosts use the pfSense firewall as their default gateway.  LAN hosts have /24 mask, the LAN and VPN client networks do not overlap (10.16.23.0/24 v. 10.16.2.0/24).

    Traceroute from the LAN host to the VPN client address hits the firewall and hangs:

    
    jge@bigsister:~$ traceroute -n 10.16.2.10
    traceroute to 10.16.2.10 (10.16.2.10), 30 hops max, 60 byte packets
     1  10.16.23.1  0.241 ms  0.210 ms  0.197 ms
     2  * * *
     3  * * *
     4  * * *
     5  * * *
    
    

    The LAN host here, is 1:1 NAT'ed behind a public IP (not the firewall's).    That's the only thing I can imagine is problematic, but I'm not sure how to pinpoint / fix it.



  • @jg3:

    The LAN host here, is 1:1 NAT'ed behind a public IP (not the firewall's).    That's the only thing I can imagine is problematic, but I'm not sure how to pinpoint / fix it.

    Fixed!  Thanks for the help johnpoz, your questions set me in the right direction (finally).

    I disabled a 1:1 NAT rule I had created that applied to the LAN host on the OpenVPN interface and now the LAN machine can reach the VPN clients.  Great.

    I had implemented this rule to cover a corner case of no-split VPN clients needing NAT reflection, discussed here:
    http://forum.pfsense.org/index.php/topic,65793.msg359377.html


Log in to reply