OpenVPN site-to-site TAP

Guest

hello,
I created a site-to-site tunnel with openvpn TAP mode betwin 2 pfsense appliances ( the server v2.2 - 192 168 166 254 and the client v2.1.5 - 192 168 166 253). The tunnel up properly, the firewall ping each other , but the traffic between my sites does not work .

Can anyone help me ??

Pitchoun511

nobody can help me ??

doktornotor

Post the ifconfig output for the relevant ovpn interface.

@Pitchoun511:

nobody can help me ??

Dude, bumping threads b/c noone replied in whopping 3 hours?!  ::)

Pitchoun511

Excuse me, but completely cut off from my VPN with 30 rabid users … I was really freaked out ...

Pitchoun511

Well, now that I have resolved the problem on my vpn…
On my site A, there are 3 PCs ( 192.168.166.189 - 191/24 ) and a firewall ( 192.168.166.253 )
On my site B, there are 3 PCs ( 192.168.166.200 - 202/24 ) and a firewall ( 192.168.166.254 ) .

I set up a VPN with OpenVPN using the TAP method between the two sites.
The firewall A ping the firewall B, but the traffic from one PC to another on both site doesn't work. In my firewall log nothing is blocked, the ARP table information is correct on eatch side, but no traffic between the two sites ...

is the /24 can be the cause of my problem ?

doktornotor

Using same LAN subnets on both sites? Time to start from scratch.

Pitchoun511

Please excuse my ignorance, but I followed the topic https://forum.pfsense.org/index.php?topic=38605.0 and he doesn't speak to create subnets

marvosa

What are you doing that you need a bridged setup?  Post the config from both sides.  Post the firewall rules from the LAN, Openvpn and the Bridged interface tabs on both sides.

Pitchoun511

Hi, I'm back from holidays, so I am back in my research.
I need a bridge, because historically , I have two sides on the same IP range and I don't want to reconfigure all my clients. I attached a screenshot of my conf and firewall.

Thank you for your help.

dotdash

There are some notes in this thread: https://forum.pfsense.org/index.php?topic=84419.msg462943#msg462943

Pitchoun511

I have found nothing that resolve my problem

MLIT

If you are doing this to prevent renumbering your network, maybe you should just do 1 to 1 NAT on both ends.

dotdash

@Pitchoun511:

I have found nothing that resolve my problem

I just went through the procedure in the thread I linked earlier on two 2.2.1 boxes and it worked fine, or rather well enough for me to get in and fix a problem preventing a remote host from routing out correctly. If you are still having problems, I suggest you look over that and then post some specifics of your config.