Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN clients can only access some LAN clients

    Scheduled Pinned Locked Moved OpenVPN
    21 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      neilsaunders
      last edited by

      Hi all -

      I'm having an OpenVPN issue that's driving me nuts: I've configured OpenVPN and successfully connected with a client (OpenVPN Client DHCP pool = 192.168.9.0/24)

      Once connected I can browse to the pfSense webadmin page on its local LAN address (192.168.1.1), and I can browse to (HTTP) and ping 2 other hosts on the network (192.168.10.10 & 192.168.10.11), but everything else (A range of devices from Linux hosts to printers) on the same small subnet (192.168.10.0/24) appears to be unreachable - though none of these hosts block ICMP and will respond to pings & accept socket connections when connected directly to the network.

      I've not added any firewall rules other than those generated by the OpenVPN wizard - And certainly nothing that would allow access to just these two hosts!?

      Any advice on what to check next would be greatly appreciated - I've reviewed every setting and am at a total loss.

      Thanks,

      Neil

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        1.  Do you have a firewall running on those linux machines?

        2.  Are you using IPs or Names to attempt to access these devices?

        1 Reply Last reply Reply Quote 0
        • N
          neilsaunders
          last edited by

          Hi kejianshi -

          No firewalls running on any of them, and I'm using IP addresses.

          Connected to VPN:

          neil@ip-172-20-10-2:~$ ping 192.168.10.11
          PING 192.168.10.11 (192.168.10.11): 56 data bytes
          64 bytes from 192.168.10.11: icmp_seq=0 ttl=62 time=69.903 ms
          64 bytes from 192.168.10.11: icmp_seq=1 ttl=62 time=125.728 ms
          64 bytes from 192.168.10.11: icmp_seq=2 ttl=62 time=72.278 ms
          ^C
          –- 192.168.10.11 ping statistics ---
          3 packets transmitted, 3 packets received, 0.0% packet loss
          round-trip min/avg/max/stddev = 69.903/89.303/125.728/25.775 ms

          neil@ip-172-20-10-2:~$ ping 192.168.10.12
          PING 192.168.10.12 (192.168.10.12): 56 data bytes
          Request timeout for icmp_seq 0
          Request timeout for icmp_seq 1
          ^C

          Disconnected from VPN, on ethernet on the network:
          neil@ip-172-20-10-2:~$ ping 192.168.10.12
          PING 192.168.10.12 (192.168.10.12): 56 data bytes
          64 bytes from 192.168.10.12: icmp_seq=0 ttl=64 time=1.110 ms
          64 bytes from 192.168.10.12: icmp_seq=1 ttl=64 time=0.592 ms
          64 bytes from 192.168.10.12: icmp_seq=2 ttl=64 time=0.695 ms

          Thanks,

          Neil

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            Need to see your lan tab firewall rules, openvpn tab firewall rules.
            Also, the VPN server setup page.

            And - shot in the dark…  What network are you on when you are testing the VPN?  And whats the IP address there?

            1 Reply Last reply Reply Quote 0
            • N
              neilsaunders
              last edited by

              Screenshots attached - Thanks again.

              ![Screen Shot 2015-03-12 at 18.36.55.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.36.55.png)
              ![Screen Shot 2015-03-12 at 18.36.55.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.36.55.png_thumb)
              ![Screen Shot 2015-03-12 at 18.37.28.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.37.28.png)
              ![Screen Shot 2015-03-12 at 18.37.28.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.37.28.png_thumb)
              ![Screen Shot 2015-03-12 at 18.37.33.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.37.33.png)
              ![Screen Shot 2015-03-12 at 18.37.33.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.37.33.png_thumb)

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                And where are you testing the openvpn client from?  What sort of internet and what IP?

                1 Reply Last reply Reply Quote 0
                • N
                  neilsaunders
                  last edited by

                  When testing I'm connected via my phone - All other network devices (Ethernet/Wifi) turned off.

                  ![Screen Shot 2015-03-12 at 18.40.49.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.40.49.png)
                  ![Screen Shot 2015-03-12 at 18.40.49.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.40.49.png_thumb)
                  ![Screen Shot 2015-03-12 at 18.41.03.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.41.03.png)
                  ![Screen Shot 2015-03-12 at 18.41.03.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.41.03.png_thumb)
                  ![Screen Shot 2015-03-12 at 18.41.10.png](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.41.10.png)
                  ![Screen Shot 2015-03-12 at 18.41.10.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-12 at 18.41.10.png_thumb)

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by

                    My initial thought is that its some sort of problem with the scope of the addresses your client device (phone) is using.

                    No chance you can try it from some other network?

                    (BTW - 192.168.10.0/24 is the same default setting for alot of routers - not as bad as 192.168.1.0/24)

                    1 Reply Last reply Reply Quote 0
                    • N
                      neilsaunders
                      last edited by

                      IP assigned by mobile hotspot: 149.254.181.53

                      Should add that I'm running the latest 2.2-RELEASE (amd64)
                      built on Thu Jan 22 14:03:54 CST 2015
                      FreeBSD 10.1-RELEASE-p4

                      1 Reply Last reply Reply Quote 0
                      • N
                        neilsaunders
                        last edited by

                        I've tried it both on a mobile 3G hotspot and my home broadband - Both with the same results :/

                        1 Reply Last reply Reply Quote 0
                        • K
                          kejianshi
                          last edited by

                          I know for sure this problem can be caused if there is a firewall running on the linux servers with a firewall up but a allow 192.168.10.0/24 rule.

                          From the LAN all would work but from openvpn it would not work.

                          Can you take another look at that?

                          1 Reply Last reply Reply Quote 0
                          • N
                            neilsaunders
                            last edited by

                            Hi kejianshi  -

                            Have double checked and definitely no firewalls running - In fact one of them (192.168.10.14) is a printer that's the most insecure thing on the network - Same ping/TCP socket issues.

                            Ta,

                            Neil

                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              whats on 192.168.10/24 and whats on 192.168.1.0/24?

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                Do the devices you cannot reach have pfSense set as their default gateway?

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • N
                                  neilsaunders
                                  last edited by

                                  The unreachable devices do indeed have 192.168.1.1 set as their default gateway, and their subnet masks are correct at 255.255.0.0 (The same as the reachable devices)

                                  The plot thickens -

                                  I've got another machine on the network (No VPN, connected via ethernet) and ssh'd to one of the "unreachable" machines.
                                  I then connected to the VPN on another machine, and noted it's VPN IP (192.168.9.6)
                                  I then ran tcp dump on the" unreachable" machine and telnetting to port 22 from the VPN client

                                  I can see packets from my VPN Client IP hitting the host, so something is stopping a full TCP handshake from occurring!?

                                  #handscracher

                                  What next!?

                                  • Neil
                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    @neilsaunders:

                                    The unreachable devices do indeed have 192.168.1.1 set as their default gateway, and their subnet masks are correct at 255.255.0.0 (The same as the reachable devices)

                                    According to the information in your first post, that should be 255.255.255.0.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      phil.davis
                                      last edited by

                                      Reading this, I am confused by the pfSense LAN IP of 192.168.1.1 (/24 ?) and then all the talk of devices 192.168.10.* (/24 or /16 mentioned?)

                                      Are there 2 LANs (LAN 192.168.1.0/24 and OPT1 192.168.10.0/24) or just a single big LAN 192.168.0.0/16 ?

                                      What is the netmask on each device?

                                      What is the default gateway on each device?

                                      And what tunnel network is used for the OpenVPN?

                                      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        neilsaunders
                                        last edited by

                                        Hi Phil -

                                        It's one single big LAN, but I've used DHCP to carve up the address space:

                                        192.168.0.0/24 for Network devices (Wifi Access points, configured via DHCP Static mappings)
                                        192.168.9.0/24 for VPN Clients (Configured via OpenVPN)
                                        192.168.10/0/24 for permanent devices (PC's, printers, and linux hosts, configured via DHCP Static mappings)
                                        192.168.100.0/24 for "Transient" clients (Laptops connected over wifi/ethernet)

                                        The default gateway is 192.168.1.1 on all devices.
                                        The netmask is 255.255.0.0 on all devices
                                        The OpenVPN tunnel network 192.168.9.0/24

                                        Thanks again for your help,

                                        Neil

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          phil.davis
                                          last edited by

                                          So you really have LAN 192.168.0.0/16 - you have just allocated some pieces of that address space for convenience/convention to particular groups of devices. Personally I would not use such a large (all) of the 192.168 space for a single LAN with not so many devices. Also it will almost always cause a conflict with some local subnet that your OpenVPN clients are in when they "dialup".

                                          I presume you are using OpenVPN "tun" (tunnel) mode here. In that case the tunnel network MUST NOT overlap the LAN network.

                                          For a start, change the tunnel network to some other private address space - e.g. 10.123.45.0/24 (pick a "random" subnet in the "10" space). Then things might start to work.

                                          Then I would move the LAN away from 192.168.0.0/24 and 192.168.1.0/24 - best to move it right away from 192.168 - that will minimise conflict with other device default settings at client ends.

                                          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            neilsaunders
                                            last edited by

                                            Hi Phil -

                                            I still don't understand why, but setting the OpenVPN tunnel network to 10.0.8.0/24 did the trick!

                                            Thanks everyone for your help - Much appreciated!

                                            Ta,

                                            Neil

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.