Firewalling and VPN 101



  • pfSense 2.1.5 amd64
    OpenVPN site-to-site between four locations - A: server, B, C, D: client

    I can ping from all of the devices on the client networks to the pfsense server LAN interface but nothing past that - I can't ping/communicate with anything on the LAN subnet.  I've done this a few times and it always works so I know I'm missing something real simple here but I can't see it.

    The VPNs connect just fine but I can't get on the LAN of each client from the server and vice versa.

    Server:
    Firewall/WAN Rules:
    [empty], IPv4UDP, <public 1="" ip="" of="" remote="" office="">, *, WAN Address, 1194, *, None, [empty]
    [empty], IPv4UDP, <public 2="" ip="" of="" remote="" office="">, *, WAN Address, 1195, *, None, [empty]
    [empty], IPv4UDP, <public 3="" ip="" of="" remote="" office="">, *, WAN Address, 1196, *, None, [empty]

    Firewall/LAN Rules:
    [empty], IPv4 *, *, *, *, *, [empty]

    Firewall/OpenVPN Rules:
    [empty], IPv4 *, *, *, *, *, [empty]

    Client B, C, D
    Firewall/WAN Rules:
    (rule for remote administration)

    Firewall/LAN Rules:
    [empty], IPv4 *, *, *, *, *, [empty]

    Firewall/OpenVPN Rules:
    [empty], IPv4 *, *, *, *, *, [empty]

    So as you can see the rules are pretty loose at this point.

    Server A:
    LAN: 192.168.1.0/24

    Client B:
    LAN: 192.168.4.0/24
    Tunnel network: 172.16.1.0/30

    Client C:
    LAN: 192.168.8.0/24
    Tunnel network: 172.16.2.0/30

    Client D:
    LAN: 192.168.6.0/24
    Tunnel network: 172.16.3.0/30

    Any ideas?

    thank you.</public></public></public>


  • Netgate

    Are you positive you're not seeing a software firewall (think windows firewall) on the client that thinks the remote networks are just that and not allowing traffic in, resulting in no response?



  • I'll remote in and make sure all the Windows firewalls are stopped.  thanks for the idea.



  • that darn Windows firewall.  Gets me every time!

    Thanks, that was the problem.  After I ran "netsh advfirewall set allprofiles state off" command on a few machines on different subnets, they were able to talk to each other.

    thank you for your suggestion; it was spot on.