RDP works across OVPN but can't Ping!
Thanks in advance for your help…
I have an Open VPN server running on pfSense. All the IPs below are /24. The router is running inside my private network, in this manner:
Internet Gateway (192.168.1.1)
External Host (192.168.1.122)
pfSense WAN (192.168.1.50)
pfSense VPN (192.168.29.1)
pfSense LAN (192.168.30.1)
Internal Host (192.168.30.101)
I can ping the Internet Gateway from the Internal Host across the pfSense box as well as reach the internet.
From the external host, I can connect to the Open VPN server on 192.168.29.1. The ex host is assigned the IP 192.168.29.6 and I can establish an RDP session to the internal host on the LAN. Great!
Once connected to the OVPN session, I can successfully ping both the OVPN server Virtual IP at 192.168.29.1 and the LAN interface at 192.168.30.1 from the external host, and vice versa from the internal host, e.g.:
10:57:23.041480 IP 192.168.30.101 > 192.168.29.1: ICMP echo request, id 1, seq 23, length 40
10:57:23.041487 IP 192.168.29.1 > 192.168.30.101: ICMP echo reply, id 1, seq 23, length 40
However, I cannot ping from the external host assigned IP 192.168.29.6 to the internal host 192.168.30.101, or vice versa, across the VPN! However the RDP session is working normally! i.e.:
10:57:25.636928 IP 192.168.29.6.50351 > 192.168.30.101.3389: tcp 37
10:57:25.637726 IP 192.168.30.101.3389 > 192.168.29.6.50351: tcp 69
10:57:25.650870 IP 192.168.30.101 > 192.168.29.6: ICMP echo request, id 1, seq 24, length 40
(no ICMP reply)
Where am I falling over here? I think this should be something so simple but I just can't see it... Why does RDP work when ICMP falls over?
All the automatic NAT and firewall rules are present from the original Open VPN configuration.
Thank you so much for your help!
OMG stupid windows firewall!!! Nevermind, I'm sorry for the post. Hopefully someone else will gain some benefit from this HUGE oversight.
However I found that troubleshooting with the pfSense was great using the pfInfo page. Watching the ICMP packets counted moving in and out of each interface proved to me that the packets were indeed passed eventually into the LAN network but never left.
To rectify I added a rule to windows firewall allowing all inbound connections from 192.168.29.0/24 on the internal host, and similar on the external host.
Correct. Windows by default will deny ICMP echo replies from IP's outside of it's LAN subnet. You have to add an explicit rule to allow it. It's usually one of the first things I have people disable while troubleshooting.
Create Allow all policy for troubleshooting purpose. If ping works, create a policy which defined IPV4 ICMP to destination server