Unable to ping from OpenVPN endpoint to LAN network
-
Hello ianc1215, I'm also stuck with the OpenVPN connected but unable to ping any hosts or gateways. You wrote:
I found out what I was going wrong with the firewall. There was no explicit allow all so if it did not match it blocked it.
Could you specify closer for which interface you created this rule? I checked my rooting on the host already and it should work.
Kind regards, MisterIX.
-
Disable the goddamn Windows "firewall" before testing.
Sigh…. I disabled the Windows firewall and it worked. I have never had trouble with it in the past I wonder why now.
Anyhow thanks everyone for the help.
-
Because the crappy thing blocks ping from anything but the subnet it's currently on by default… Source of immense waste of time.
-
Hello ianc1215, I'm also stuck with the OpenVPN connected but unable to ping any hosts or gateways. You wrote:
I found out what I was going wrong with the firewall. There was no explicit allow all so if it did not match it blocked it.
Could you specify closer for which interface you created this rule? I checked my rooting on the host already and it should work.
Kind regards, MisterIX.
I needed to make allow all rules on both the OpenVPN and LAN interfaces. The way that the firewall works is block all traffic that does not match. Well once you run out of rules any traffic gets kicked to the curb. However once you have had all of your traffic go through the block rules you setup generally there is a rule at the end that allows all traffic that made it that far to go on through. I was missing that, once I added it the firewall was no longer getting in the way.
-
Except that's not how it works.
In general, once traffic is allowed into an interface it is allowed out without specific rules on the outbound interface.
This is the case unless you have specified floating rules on an interface with a direction of any or out.
-
I was referring to new connections not existing connections. Yes if a connection is allowed in then generally its allowed out unless a rule prevents it. The way I have always understood it is new connections work on a first match basis, if it does not match then it does not go through. The reason you have the allow any at the end of a firewall statement is allow anything that did not get blocked prior. I have very little experience with pf but I imagine most firewalls share common logic.
-
Thank you very much, for your answers. I have to open a new post though, as my windwos firewall is turned off (details in new post), VPN connection seems stable, allow all rule is set under OpenVPN, but i cannot ping or otherwise reach a client in my target network.
Best regards, Mister IX.
