[1.2RC3] Site-to-site ping problem
-
Hi !
I've got a ping problem with my VPN
LAN 1 (Server) : (with PfSense OpenVPN server 1.2RC3)
Protocol TCP
Server port :1193
Interface IP 192.168.1.0/24
Remote network 192.168.10.0/24LAN 2 (Client) : (PC on the LAN with OpenVPN client)
Protocol TCP
Port :1193
Interface IP 192.168.0.0/24In LAN1 et LAN2, the firewalls have been configured correctly
LAN2 can ping all machines in LAN1
But LAN1 can't ping nothing in LAN2I try traceroute in LAN1 to LAN2, it seem to be a firewall problem.
I check all routes and it's seem to be goodPfSense OpenVPN server config file : (/var/etc/openvpn_server0.conf)
writepid /var/run/openvpn_server0.pid #user nobody #group nobody daemon keepalive 10 60 ping-timer-rem persist-tun persist-key dev tun proto tcp-server cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure server 192.168.10.0 255.255.255.0 client-config-dir /var/etc/openvpn_csc lport 1193 route 192.168.0.0 255.255.255.0 ca /var/etc/openvpn_server0.ca cert /var/etc/openvpn_server0.cert key /var/etc/openvpn_server0.key dh /var/etc/openvpn_server0.dh comp-lzo persist-remote-ip float route 192.168.0.0 255.255.255.0 192.168.10.1Route table of PfSense OpenVPN server :
Destination Gateway Flags Refs Use Mtu Netif Expire default <wan_subnet>UGS 0 1675434 1500 vr0 <wan_subnet>link#2 UC 0 0 1500 vr0 <wan_gateway><mac_address>UHLW 2 4005 1500 vr0 1200 <wan_ipaddress>127.0.0.1 UGHS 0 0 16384 lo0 127.0.0.1 127.0.0.1 UH 1 0 16384 lo0 192.168.0 192.168.10.2 UGS 0 4070 1500 tun0 192.168.1 link#1 UC 0 0 1500 rl0 192.168.10 192.168.10.2 UGS 0 840 1500 tun0 192.168.10.2 192.168.10.1 UH 2 3 1500 tun0</wan_ipaddress></mac_address></wan_gateway></wan_subnet></wan_subnet>My client configuration :
# # Sample OpenVPN configuration file for # home using SSL/TLS mode and RSA certificates/keys. # # '#' or ';' may be used to delimit comments. client # Use a dynamic tun device. # For Linux 2.2 or non-Linux OSes, # you may want to use an explicit # unit number such as "tun1". # OpenVPN also supports virtual # ethernet "tap" devices. dev tun proto tcp-client # Our OpenVPN peer is the office gateway. remote x.x.x.x 1193 # 10.1.0.2 is our local VPN endpoint (home). # 10.1.0.1 is our remote VPN endpoint (office). ; ifconfig 192.168.10.2 192.168.10.1 # Our up script will establish routes # once the VPN is alive. ; up ./home.up # In SSL/TLS key exchange, Office will # assume server role and Home # will assume client role. tls-client # Certificate Authority file ca /etc/openvpn/keys/ca.crt # Our certificate/public key cert /etc/openvpn/keys/xxxx.crt # Our private key key /etc/openvpn/keys/xxxx.key # OpenVPN 2.0 uses UDP port 1194 by default # (official port assignment by iana.org 11/04). # OpenVPN 1.x uses UDP port 5000 by default. # Each OpenVPN tunnel must use # a different port number. # lport or rport can be used # to denote different ports # for local and remote. ; port 1193 # Downgrade UID and GID to # "nobody" after initialization # for extra security. ; user nobody ; group nogroup # If you built OpenVPN with # LZO compression, uncomment # out the following line. comp-lzo # Send a UDP ping to remote once # every 15 seconds to keep # stateful firewall connection # alive. Uncomment this # out if you are using a stateful # firewall. ; ping 15 # Uncomment this section for a more reliable detection when a system # loses its connection. For example, dial-ups or laptops that # travel to other locations. ; ping 15 ; ping-restart 45 ; ping-timer-rem persist-tun persist-key pull # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3 ns-cert-type server resolv-retry infinite nobind keepalive 10 60 ping-timer-remRoute table on OpenVPN PC client :
Destination Passerelle Genmask Indic Metric Ref Use Iface 192.168.10.1 192.168.10.5 255.255.255.255 UGH 0 0 0 tun0 192.168.10.5 * 255.255.255.255 UH 0 0 0 tun0 localnet * 255.255.255.0 U 0 0 0 eth0 default xxxxx 0.0.0.0 UG 0 0 0 eth0Thank for help
-
could it be that your client is firewalled?
-
could it be that your client is firewalled?
The firewall (iptables) on client is disabled.
I think it use WAN interface instead of TUN0 interface.
How to test this ?traceroute 192.168.0.1 traceroute to 192.168.0.1 (192.168.0.1), 64 hops max, 40 byte packets 1 * * * 2 * * *
-
I dont think so. because then the answer to your ping from the client wouldn never come back.
When you use the ping tool of pfSense itself. is that able to ping your client?
If not i think the problem is really somewhere with the client.btw: could you make a diagram of your network? i kind of dont get if you just want to connect a client via OpenVPN to your LAN or want to connect two different LAN's via VPN.
-
I dont think so. because then the answer to your ping from the client wouldn never come back.
When you use the ping tool of pfSense itself. is that able to ping your client?
If not i think the problem is really somewhere with the client.btw: could you make a diagram of your network? i kind of dont get if you just want to connect a client via OpenVPN to your LAN or want to connect two different LAN's via VPN.
Ping not responding on Pfsense server.
I want to connect 2 LAN via VPN : PC client on LAN2 connect to Pfsense OpenVPN server through WAN
LAN1 (192.168.1.0/24)
|
|
Pfsense (LAN IP : 192.168.1.1)
server
|
| WAN
|
Router (LAN IP : 192.168.0.1) (this router enable VPN pass-through)
|
|
LAN2 (192.168.0.0/24)
/
PC with OpenVPN client (IP : 192.168.0.10)Thanks for your help
-
Just to understand you right:
You want to have a client within LAN2 to connect to the pfSense of LAN1
and then be able to connect from every client within LAN1-subnet to every client withing LAN2-subnet?You have route entries in your server config that point traffic for 192.168.0.x to the pfSense from LAN1. This route entry should point the traffic to the client and not the pfSense itself (192.168.10.5 (this is the client)).
But clients in your LAN2 have the pfSense of LAN2 as gateway. you need to add a static route to your pfSense of LAN2 that points the subnet of your LAN1 to you client that initiates the VPN connection.
But why do you have a separate machine to run the tunnel from?
You can have the pfSense of your LAN2 as openVPN client. Then you dont need any static routes since the clients in LAN2 have their pfSense as gateway.
-
I had a very similar problem.
This turned out to be a policy routing issue. To enable LAN1 to ping/pass traffic to LAN2 from LAN1, I would try adding a firewall rule to LAN1 interface on the pfsense server allowing access to the remote LAN2 subnet through the DEFAULT gateway.
ie. something similar to:
Action: Pass
Interface: LAN (LAN1)
Source: LAN subnet,
Destination: 192.168.0.0/24
Gateway: default
Good Luck
-
Thanks for try to solve my problem ;)
My new network diagram is :
LAN1 (192.168.1.0/24)
|
|
Pfsense (LAN IP : 192.168.1.1)
server
|
| WAN
|
DD-WRT VPN Router (LAN IP : 192.168.0.1)
|
|
LAN2 (192.168.0.0/24)And now I can ping networks from LAN1 and LAN2
Now I would like PC on LAN1 use the Internet connection of LAN2 to access some public IP addresses.
What can I configure Pfsense to do this ?
-
http://forum.pfsense.org/index.php/topic,7001.msg39657.html#msg39657
or do you want just "some" addresses and not all?
-
http://forum.pfsense.org/index.php/topic,7001.msg39657.html#msg39657
or do you want just "some" addresses and not all?
Thanks but I just want some addresses and not all traffic to vpn tunnel ;)
