[1.2RC3] Site-to-site ping problem



  • Hi !

    I've got a ping problem with my VPN

    LAN 1 (Server) : (with PfSense OpenVPN server 1.2RC3)
    Protocol  TCP
    Server port :1193
    Interface IP  192.168.1.0/24
    Remote network  192.168.10.0/24

    LAN 2 (Client) : (PC on the LAN with OpenVPN client)
    Protocol  TCP
    Port :1193
    Interface IP  192.168.0.0/24

    In LAN1 et LAN2, the firewalls have been configured correctly

    LAN2 can ping all machines in LAN1
    But LAN1 can't ping nothing in LAN2

    I try traceroute in LAN1 to LAN2, it seem to be a firewall problem.
    I check all routes and it's seem to be good

    PfSense OpenVPN server config file : (/var/etc/openvpn_server0.conf)

    
    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    server 192.168.10.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    lport 1193
    route 192.168.0.0 255.255.255.0
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    comp-lzo
    persist-remote-ip
    float
    route 192.168.0.0 255.255.255.0 192.168.10.1
    

    Route table of PfSense OpenVPN server :

    Destination 	Gateway 	Flags 	Refs 	Use 	Mtu 	Netif 	Expire
    default 	 <wan_subnet>UGS 	0 	1675434 	1500 	vr0 	 
     <wan_subnet>link#2 	UC 	0 	0 	1500 	vr0 	 
     <wan_gateway><mac_address>UHLW 	2 	4005 	1500 	vr0 	1200
     <wan_ipaddress>127.0.0.1 	UGHS 	0 	0 	16384 	lo0 	 
    127.0.0.1 	127.0.0.1 	UH 	1 	0 	16384 	lo0 	 
    192.168.0 	192.168.10.2 	UGS 	0 	4070 	1500 	tun0 	 
    192.168.1 	link#1 	UC 	0 	0 	1500 	rl0 	 
    192.168.10 	192.168.10.2 	UGS 	0 	840 	1500 	tun0 	 
    192.168.10.2 	192.168.10.1 	UH 	2 	3 	1500 	tun0</wan_ipaddress></mac_address></wan_gateway></wan_subnet></wan_subnet> 
    

    My client configuration :

    
    #
    # Sample OpenVPN configuration file for
    # home using SSL/TLS mode and RSA certificates/keys.
    #
    # '#' or ';' may be used to delimit comments.
    
    client
    
    # Use a dynamic tun device.
    # For Linux 2.2 or non-Linux OSes,
    # you may want to use an explicit
    # unit number such as "tun1".
    # OpenVPN also supports virtual
    # ethernet "tap" devices.
    dev tun
    
    proto tcp-client
    
    # Our OpenVPN peer is the office gateway.
    remote x.x.x.x 1193
    
    # 10.1.0.2 is our local VPN endpoint (home).
    # 10.1.0.1 is our remote VPN endpoint (office).
    ; ifconfig 192.168.10.2 192.168.10.1
    
    # Our up script will establish routes
    # once the VPN is alive.
    ; up ./home.up
    
    # In SSL/TLS key exchange, Office will
    # assume server role and Home
    # will assume client role.
    tls-client
    
    # Certificate Authority file
    ca /etc/openvpn/keys/ca.crt
    
    # Our certificate/public key
    cert /etc/openvpn/keys/xxxx.crt
    
    # Our private key
    key /etc/openvpn/keys/xxxx.key
    
    # OpenVPN 2.0 uses UDP port 1194 by default
    # (official port assignment by iana.org 11/04).
    # OpenVPN 1.x uses UDP port 5000 by default.
    # Each OpenVPN tunnel must use
    # a different port number.
    # lport or rport can be used
    # to denote different ports
    # for local and remote.
    ; port 1193
    
    # Downgrade UID and GID to
    # "nobody" after initialization
    # for extra security.
    ; user nobody
    ; group nogroup
    
    # If you built OpenVPN with
    # LZO compression, uncomment
    # out the following line.
    comp-lzo
    
    # Send a UDP ping to remote once
    # every 15 seconds to keep
    # stateful firewall connection
    # alive.  Uncomment this
    # out if you are using a stateful
    # firewall.
    ; ping 15
    
    # Uncomment this section for a more reliable detection when a system
    # loses its connection.  For example, dial-ups or laptops that
    # travel to other locations.
    ; ping 15
    ; ping-restart 45
    ; ping-timer-rem
    persist-tun
    persist-key
    
    pull
    
    # Verbosity level.
    # 0 -- quiet except for fatal errors.
    # 1 -- mostly quiet, but display non-fatal network errors.
    # 3 -- medium output, good for normal operation.
    # 9 -- verbose, good for troubleshooting
    verb 3
    
    ns-cert-type server
    resolv-retry infinite
    nobind
    keepalive 10 60
    ping-timer-rem
    
    

    Route table on OpenVPN PC client :

    Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
    192.168.10.1    192.168.10.5    255.255.255.255 UGH   0      0        0 tun0
    192.168.10.5    *               255.255.255.255 UH    0      0        0 tun0
    localnet        *               255.255.255.0   U     0      0        0 eth0
    default         xxxxx           0.0.0.0         UG    0      0        0 eth0
    
    

    Thank for help



  • could it be that your client is firewalled?



  • @GruensFroeschli:

    could it be that your client is firewalled?

    The firewall (iptables) on client is disabled.

    I think it use WAN interface instead of TUN0 interface.
    How to test this ?

    traceroute 192.168.0.1
    traceroute to 192.168.0.1 (192.168.0.1), 64 hops max, 40 byte packets
     1  * * *
     2  * * *
    


  • I dont think so. because then the answer to your ping from the client wouldn never come back.
    When you use the ping tool of pfSense itself. is that able to ping your client?
    If not i think the problem is really somewhere with the client.

    btw: could you make a diagram of your network? i kind of dont get if you just want to connect a client via OpenVPN to your LAN or want to connect two different LAN's via VPN.



  • @GruensFroeschli:

    I dont think so. because then the answer to your ping from the client wouldn never come back.
    When you use the ping tool of pfSense itself. is that able to ping your client?
    If not i think the problem is really somewhere with the client.

    btw: could you make a diagram of your network? i kind of dont get if you just want to connect a client via OpenVPN to your LAN or want to connect two different LAN's via VPN.

    Ping not responding on Pfsense server.

    I want to connect 2 LAN via VPN : PC client on LAN2 connect to Pfsense OpenVPN server through WAN

    LAN1  (192.168.1.0/24)
        |
        |
    Pfsense  (LAN IP : 192.168.1.1)
      server
        |
        |  WAN
        |
      Router (LAN IP : 192.168.0.1)      (this router enable VPN pass-through)
        |
        |   
      LAN2 (192.168.0.0/24)
        /
    PC with OpenVPN client  (IP : 192.168.0.10)

    Thanks for your help



  • Just to understand you right:
    You want to have a client within LAN2 to connect to the pfSense of LAN1
    and then be able to connect from every client within LAN1-subnet to every client withing LAN2-subnet?

    You have route entries in your server config that point traffic for 192.168.0.x to the pfSense from LAN1. This route entry should point the traffic to the client and not the pfSense itself (192.168.10.5 (this is the client)).

    But clients in your LAN2 have the pfSense of LAN2 as gateway. you need to add a static route to your pfSense of LAN2 that points the subnet of your LAN1 to you client that initiates the VPN connection.

    But why do you have a separate machine to run the tunnel from?
    You can have the pfSense of your LAN2 as openVPN client. Then you dont need any static routes since the clients in LAN2 have their pfSense as gateway.



  • I had a very similar problem.

    This turned out to be a policy routing issue.  To enable LAN1 to ping/pass traffic to LAN2 from LAN1, I would try adding a firewall rule to LAN1 interface on the pfsense server allowing access to the remote LAN2 subnet through the DEFAULT gateway.

    ie. something similar to:

    Action: Pass
    Interface: LAN (LAN1)
    Source: LAN subnet,
    Destination: 192.168.0.0/24
    Gateway: default
    Good Luck



  • Thanks for try to solve my problem ;)

    My new network diagram is :

    LAN1  (192.168.1.0/24)
        |
        |
    Pfsense  (LAN IP : 192.168.1.1)
      server
        |
        |  WAN
        |
      DD-WRT VPN Router (LAN IP : 192.168.0.1)
        |
        |   
      LAN2 (192.168.0.0/24)

    And now I can ping networks from LAN1 and LAN2

    Now I would like PC on LAN1 use the Internet connection of LAN2 to access some public IP addresses.
    What can I configure Pfsense to do this ?



  • http://forum.pfsense.org/index.php/topic,7001.msg39657.html#msg39657

    or do you want just "some" addresses and not all?



  • @GruensFroeschli:

    http://forum.pfsense.org/index.php/topic,7001.msg39657.html#msg39657

    or do you want just "some" addresses and not all?

    Thanks but I just want some addresses and not all traffic to vpn tunnel ;)


Log in to reply