Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [1.2RC3] Site-to-site ping problem

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 3 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stormscratcher
      last edited by

      Hi !

      I've got a ping problem with my VPN

      LAN 1 (Server) : (with PfSense OpenVPN server 1.2RC3)
      Protocol  TCP
      Server port :1193
      Interface IP  192.168.1.0/24
      Remote network  192.168.10.0/24

      LAN 2 (Client) : (PC on the LAN with OpenVPN client)
      Protocol  TCP
      Port :1193
      Interface IP  192.168.0.0/24

      In LAN1 et LAN2, the firewalls have been configured correctly

      LAN2 can ping all machines in LAN1
      But LAN1 can't ping nothing in LAN2

      I try traceroute in LAN1 to LAN2, it seem to be a firewall problem.
      I check all routes and it's seem to be good

      PfSense OpenVPN server config file : (/var/etc/openvpn_server0.conf)

      
      writepid /var/run/openvpn_server0.pid
      #user nobody
      #group nobody
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      dev tun
      proto tcp-server
      cipher BF-CBC
      up /etc/rc.filter_configure
      down /etc/rc.filter_configure
      server 192.168.10.0 255.255.255.0
      client-config-dir /var/etc/openvpn_csc
      lport 1193
      route 192.168.0.0 255.255.255.0
      ca /var/etc/openvpn_server0.ca
      cert /var/etc/openvpn_server0.cert
      key /var/etc/openvpn_server0.key
      dh /var/etc/openvpn_server0.dh
      comp-lzo
      persist-remote-ip
      float
      route 192.168.0.0 255.255.255.0 192.168.10.1
      

      Route table of PfSense OpenVPN server :

      Destination 	Gateway 	Flags 	Refs 	Use 	Mtu 	Netif 	Expire
      default 	 <wan_subnet>UGS 	0 	1675434 	1500 	vr0 	 
       <wan_subnet>link#2 	UC 	0 	0 	1500 	vr0 	 
       <wan_gateway><mac_address>UHLW 	2 	4005 	1500 	vr0 	1200
       <wan_ipaddress>127.0.0.1 	UGHS 	0 	0 	16384 	lo0 	 
      127.0.0.1 	127.0.0.1 	UH 	1 	0 	16384 	lo0 	 
      192.168.0 	192.168.10.2 	UGS 	0 	4070 	1500 	tun0 	 
      192.168.1 	link#1 	UC 	0 	0 	1500 	rl0 	 
      192.168.10 	192.168.10.2 	UGS 	0 	840 	1500 	tun0 	 
      192.168.10.2 	192.168.10.1 	UH 	2 	3 	1500 	tun0</wan_ipaddress></mac_address></wan_gateway></wan_subnet></wan_subnet> 
      

      My client configuration :

      
      #
      # Sample OpenVPN configuration file for
      # home using SSL/TLS mode and RSA certificates/keys.
      #
      # '#' or ';' may be used to delimit comments.
      
      client
      
      # Use a dynamic tun device.
      # For Linux 2.2 or non-Linux OSes,
      # you may want to use an explicit
      # unit number such as "tun1".
      # OpenVPN also supports virtual
      # ethernet "tap" devices.
      dev tun
      
      proto tcp-client
      
      # Our OpenVPN peer is the office gateway.
      remote x.x.x.x 1193
      
      # 10.1.0.2 is our local VPN endpoint (home).
      # 10.1.0.1 is our remote VPN endpoint (office).
      ; ifconfig 192.168.10.2 192.168.10.1
      
      # Our up script will establish routes
      # once the VPN is alive.
      ; up ./home.up
      
      # In SSL/TLS key exchange, Office will
      # assume server role and Home
      # will assume client role.
      tls-client
      
      # Certificate Authority file
      ca /etc/openvpn/keys/ca.crt
      
      # Our certificate/public key
      cert /etc/openvpn/keys/xxxx.crt
      
      # Our private key
      key /etc/openvpn/keys/xxxx.key
      
      # OpenVPN 2.0 uses UDP port 1194 by default
      # (official port assignment by iana.org 11/04).
      # OpenVPN 1.x uses UDP port 5000 by default.
      # Each OpenVPN tunnel must use
      # a different port number.
      # lport or rport can be used
      # to denote different ports
      # for local and remote.
      ; port 1193
      
      # Downgrade UID and GID to
      # "nobody" after initialization
      # for extra security.
      ; user nobody
      ; group nogroup
      
      # If you built OpenVPN with
      # LZO compression, uncomment
      # out the following line.
      comp-lzo
      
      # Send a UDP ping to remote once
      # every 15 seconds to keep
      # stateful firewall connection
      # alive.  Uncomment this
      # out if you are using a stateful
      # firewall.
      ; ping 15
      
      # Uncomment this section for a more reliable detection when a system
      # loses its connection.  For example, dial-ups or laptops that
      # travel to other locations.
      ; ping 15
      ; ping-restart 45
      ; ping-timer-rem
      persist-tun
      persist-key
      
      pull
      
      # Verbosity level.
      # 0 -- quiet except for fatal errors.
      # 1 -- mostly quiet, but display non-fatal network errors.
      # 3 -- medium output, good for normal operation.
      # 9 -- verbose, good for troubleshooting
      verb 3
      
      ns-cert-type server
      resolv-retry infinite
      nobind
      keepalive 10 60
      ping-timer-rem
      
      

      Route table on OpenVPN PC client :

      Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
      192.168.10.1    192.168.10.5    255.255.255.255 UGH   0      0        0 tun0
      192.168.10.5    *               255.255.255.255 UH    0      0        0 tun0
      localnet        *               255.255.255.0   U     0      0        0 eth0
      default         xxxxx           0.0.0.0         UG    0      0        0 eth0
      
      

      Thank for help

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        could it be that your client is firewalled?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • S
          stormscratcher
          last edited by

          @GruensFroeschli:

          could it be that your client is firewalled?

          The firewall (iptables) on client is disabled.

          I think it use WAN interface instead of TUN0 interface.
          How to test this ?

          traceroute 192.168.0.1
          traceroute to 192.168.0.1 (192.168.0.1), 64 hops max, 40 byte packets
           1  * * *
           2  * * *
          
          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            I dont think so. because then the answer to your ping from the client wouldn never come back.
            When you use the ping tool of pfSense itself. is that able to ping your client?
            If not i think the problem is really somewhere with the client.

            btw: could you make a diagram of your network? i kind of dont get if you just want to connect a client via OpenVPN to your LAN or want to connect two different LAN's via VPN.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • S
              stormscratcher
              last edited by

              @GruensFroeschli:

              I dont think so. because then the answer to your ping from the client wouldn never come back.
              When you use the ping tool of pfSense itself. is that able to ping your client?
              If not i think the problem is really somewhere with the client.

              btw: could you make a diagram of your network? i kind of dont get if you just want to connect a client via OpenVPN to your LAN or want to connect two different LAN's via VPN.

              Ping not responding on Pfsense server.

              I want to connect 2 LAN via VPN : PC client on LAN2 connect to Pfsense OpenVPN server through WAN

              LAN1  (192.168.1.0/24)
                  |
                  |
              Pfsense  (LAN IP : 192.168.1.1)
                server
                  |
                  |  WAN
                  |
                Router (LAN IP : 192.168.0.1)      (this router enable VPN pass-through)
                  |
                  |   
                LAN2 (192.168.0.0/24)
                  /
              PC with OpenVPN client  (IP : 192.168.0.10)

              Thanks for your help

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                Just to understand you right:
                You want to have a client within LAN2 to connect to the pfSense of LAN1
                and then be able to connect from every client within LAN1-subnet to every client withing LAN2-subnet?

                You have route entries in your server config that point traffic for 192.168.0.x to the pfSense from LAN1. This route entry should point the traffic to the client and not the pfSense itself (192.168.10.5 (this is the client)).

                But clients in your LAN2 have the pfSense of LAN2 as gateway. you need to add a static route to your pfSense of LAN2 that points the subnet of your LAN1 to you client that initiates the VPN connection.

                But why do you have a separate machine to run the tunnel from?
                You can have the pfSense of your LAN2 as openVPN client. Then you dont need any static routes since the clients in LAN2 have their pfSense as gateway.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • N
                  nastraga
                  last edited by

                  I had a very similar problem.

                  This turned out to be a policy routing issue.  To enable LAN1 to ping/pass traffic to LAN2 from LAN1, I would try adding a firewall rule to LAN1 interface on the pfsense server allowing access to the remote LAN2 subnet through the DEFAULT gateway.

                  ie. something similar to:

                  Action: Pass
                  Interface: LAN (LAN1)
                  Source: LAN subnet,
                  Destination: 192.168.0.0/24
                  Gateway: default
                  Good Luck

                  1 Reply Last reply Reply Quote 0
                  • S
                    stormscratcher
                    last edited by

                    Thanks for try to solve my problem ;)

                    My new network diagram is :

                    LAN1  (192.168.1.0/24)
                        |
                        |
                    Pfsense  (LAN IP : 192.168.1.1)
                      server
                        |
                        |  WAN
                        |
                      DD-WRT VPN Router (LAN IP : 192.168.0.1)
                        |
                        |   
                      LAN2 (192.168.0.0/24)

                    And now I can ping networks from LAN1 and LAN2

                    Now I would like PC on LAN1 use the Internet connection of LAN2 to access some public IP addresses.
                    What can I configure Pfsense to do this ?

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      http://forum.pfsense.org/index.php/topic,7001.msg39657.html#msg39657

                      or do you want just "some" addresses and not all?

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • S
                        stormscratcher
                        last edited by

                        @GruensFroeschli:

                        http://forum.pfsense.org/index.php/topic,7001.msg39657.html#msg39657

                        or do you want just "some" addresses and not all?

                        Thanks but I just want some addresses and not all traffic to vpn tunnel ;)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.