Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why can I not reach my clients from the LAN?

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 5 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jg3
      last edited by

      Still chasing this problem … a client connects and can successfully use LAN resources (eg, 10.16.23.99), but from the LAN cannot connect to the client's IP (eg, 10.16.2.6).  Would like to be able to SSH to the client machine.

      It seems like this should "just work" but traffic from the LAN gets to the pfSense and goes no further.

      
      pfSense shell: print_r($config['openvpn']);
      pfSense shell: exec
      Array
      (
          [openvpn-server] => Array
              (
                  [0] => Array
                      (
                          [vpnid] => 1
                          [mode] => server_tls_user
                          [authmode] => Local Database
                          [protocol] => TCP
                          [dev_mode] => tun
                          [ipaddr] =>
                          [interface] => wan
                          [local_port] => 443
                          [description] => Datacenter01
                          [custom_options] =>
                          [tls] => Iw0K....0tLQ0K
                          [caref] => 520.....f8ff
                          [crlref] => 521.....2d904
                          [certref] => 520.......2ed4
                          [dh_length] => 1024
                          [cert_depth] => 1
                          [strictusercn] =>
                          [crypto] => AES-256-CBC
                          [engine] => none
                          [tunnel_network] => 10.16.2.0/24
                          [remote_network] =>
                          [gwredir] =>
                          [local_network] => 10.16.23.0/24
                          [maxclients] => 16
                          [compression] =>
                          [passtos] =>
                          [client2client] => yes
                          [dynamic_ip] => yes
                          [pool_enable] => yes
                          [dns_domain] => a01.example.com
                          [dns_server1] => 10.16.23.1
                          [dns_server2] =>
                          [dns_server3] =>
                          [dns_server4] =>
                          [ntp_server1] => 10.16.23.1
                          [ntp_server2] =>
                          [netbios_enable] =>
                          [netbios_ntype] => 0
                          [netbios_scope] =>
                      )
      
              )
      
      
      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        You are right - It should just work.

        What is your Client?  Might it be a firewall issue on the client end?

        I'm running a typical road-warrior config. on my home network.

        I allow interclient comms, I route all traffic through VPN - I do supply DNS Default Domain.

        1 Reply Last reply Reply Quote 0
        • J
          jg3
          last edited by

          Client is a mac running Viscosity with the firewall configured to allow port 80 and 22 from anywhere.
          From the pfSense, when the client is connected I can hit the HTTPd on the tun IP:

          
          [2.0.3-RELEASE][root@pfSense.a01.example.com]/root(15): fetch -o - http://10.16.2.10
          -                                             100% of   44  B  596 kBps
          
          # It works!
          
          

          However, from another machine on the LAN I can't reach that address (and the pfSense is the LAN default gw).

          It appears this is something to do with routing rather than the OpenVPN configuration.  Makes me wonder how pfSense is supposed to get traffic to 10.16.2.10 via 10.16.2.2.

          
          [2.0.3-RELEASE][root@pfSense.a01.example.com]/root(16): netstat -rnfinet | grep 10.
          10.16.2.0/24       10.16.2.2          UGS         0     3484 ovpns1
          10.16.2.1          link#7             UHS         0        0    lo0
          10.16.2.2          link#7             UH          0        0 ovpns1
          10.16.23.0/24      link#1             U           0  9529256    em0
          10.16.23.1         link#1             UHS         0        0    lo0
          
          
          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            Well - For me, it just works.

            Are you exporting your configuration via client export package or manually finger poking it?

            (assuming you don't have overlapping network subnets, this should also just work for you)

            1 Reply Last reply Reply Quote 0
            • J
              jg3
              last edited by

              I'm exporting it with the client export utility.  The client config looks like this:

              
              dev tun
              persist-tun
              persist-key
              cipher AES-256-CBC
              tls-client
              client
              resolv-retry infinite
              remote 66.77.67.200 443 tcp
              tls-remote pfSense-cert
              auth-user-pass
              pkcs12 pfSense-TCP-443-jg3.p12
              tls-auth pfSense-TCP-443-jg3-tls.key 1
              
              

              I'll note that this firewall was installed fresh on 2.0.3, no upgrade to get here.

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                Firewalls on the client?

                1 Reply Last reply Reply Quote 0
                • J
                  jg3
                  last edited by

                  see reply #2 ?

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by

                    I don't know - Using a windows machine with similar system ping and SSH both work.

                    1 Reply Last reply Reply Quote 0
                    • P
                      phil.davis
                      last edited by

                      Do you have any firewall rules with policy-routing on LAN? Those might be forcing new flows initiated from LAN down a real WAN. But to get to the OpenVPN clients pfSense needs to just give the packet/flow to the ordinary routing for delivery.
                      Or a firewall rule on LAN that ends up blocking traffic to the OpenVPN tunnel network?

                      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        Do you have latest version of Viscosity installed?

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Are you doing something weird with your nats?  Are you setup for automatic or manual?

                          That route looks correct to me.  If your clients are 10.16.2.0/24

                          What does traceroute from lan box to vpn client do?  your lan boxes are pointing to this pfsense box as their default gateway? And what is the mask on the lan clients?  You don't have a overlapping network do you where the lan clients think 10.16.2 is local to their connection?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • J
                            jg3
                            last edited by

                            @phil.davis:

                            Do you have any firewall rules with policy-routing on LAN? Those might be forcing new flows initiated from LAN down a real WAN. But to get to the OpenVPN clients pfSense needs to just give the packet/flow to the ordinary routing for delivery.
                            Or a firewall rule on LAN that ends up blocking traffic to the OpenVPN tunnel network?

                            Thanks for the help.  I understand what you're saying, but it seems like "pfSense … just giv[ing] the packet/flow to the ordinary routing for delivery" is not happening for some reason.

                            I don't have any policy-routing at all.

                            My firewall rules are all very simple:

                            • Allow anything from the LAN outbound (Default LAN to any rule)

                            • Allow anything from anywhere on the OpenVPN rule tab (Default OpenVPN wizard rule)

                            WAN rules don't apply in this case, but they are:

                            • allow traffic for one port in to a 1:1 NAT'ed host
                            • allow traffic in to the firewall IP on TCP:443 for OpenVPN
                            1 Reply Last reply Reply Quote 0
                            • J
                              jg3
                              last edited by

                              @doktornotor:

                              Do you have latest version of Viscosity installed?

                              Yes.  1.4.4.

                              1 Reply Last reply Reply Quote 0
                              • J
                                jg3
                                last edited by

                                @johnpoz:

                                Are you doing something weird with your nats?  Are you setup for automatic or manual?

                                That route looks correct to me.  If your clients are 10.16.2.0/24

                                What does traceroute from lan box to vpn client do?  your lan boxes are pointing to this pfsense box as their default gateway? And what is the mask on the lan clients?  You don't have a overlapping network do you where the lan clients think 10.16.2 is local to their connection?

                                I have automatic NAT.    LAN hosts use the pfSense firewall as their default gateway.  LAN hosts have /24 mask, the LAN and VPN client networks do not overlap (10.16.23.0/24 v. 10.16.2.0/24).

                                Traceroute from the LAN host to the VPN client address hits the firewall and hangs:

                                
                                jge@bigsister:~$ traceroute -n 10.16.2.10
                                traceroute to 10.16.2.10 (10.16.2.10), 30 hops max, 60 byte packets
                                 1  10.16.23.1  0.241 ms  0.210 ms  0.197 ms
                                 2  * * *
                                 3  * * *
                                 4  * * *
                                 5  * * *
                                
                                

                                The LAN host here, is 1:1 NAT'ed behind a public IP (not the firewall's).    That's the only thing I can imagine is problematic, but I'm not sure how to pinpoint / fix it.

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jg3
                                  last edited by

                                  @jg3:

                                  The LAN host here, is 1:1 NAT'ed behind a public IP (not the firewall's).    That's the only thing I can imagine is problematic, but I'm not sure how to pinpoint / fix it.

                                  Fixed!  Thanks for the help johnpoz, your questions set me in the right direction (finally).

                                  I disabled a 1:1 NAT rule I had created that applied to the LAN host on the OpenVPN interface and now the LAN machine can reach the VPN clients.  Great.

                                  I had implemented this rule to cover a corner case of no-split VPN clients needing NAT reflection, discussed here:
                                  http://forum.pfsense.org/index.php/topic,65793.msg359377.html

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.