Site-to-Site VPN cannot Ping



  • Hello
    Attached is network diagram.

    In my scenario, PC behind client vpn router cannot ping PC behind vpn server at other site (pc at server side has no gateway or different gateway then VPN server)

    I tried lot of things with NAT and Route but no luck.

    Pls help me to resolve following issue.

    See diagram.

    Thanx



  • Very detailed diagram.  :)

    Since some PCs have no GW, you can only resolve this by enabling NAT for VPN at the VPN routers, or by adding a static route to each PC which use no or another GW.



  • could you pls let me know what NAT i need to add? or static route. And how.

    I did try with many options, but none worked.



  • I've explained it lately in another thread:
    https://forum.pfsense.org/index.php?topic=102704.msg575111#msg575111



  • Thanx for your help.

    I read at at the link you provided.

    There you said:
    "The common way to fix this is to add a route for clients LAN to the server. "

    what is this common way? Pls let me know.

    On that same Post you suggested to add NAT at client side since the person did not want to change anything at server side.
    But in my case i can make changes at server side and so pls let me know what it shall be.
    Also, i want to preserve source address (real LAN hosts address).



  • If you do NAT you loose the real source address, cause it's replaced by the OpenVPN client or server address. Therefore this method is not recommended.

    However, if you want to resolve it by routing, in your case you have to add a route to each client which don't use the VPN server/client as GW.
    This will be more amount of work for you, but that is the solution, you are looking for.



  • With NAT yes i am having source address issue.

    With other solution,  you said to add route to each client manually.
    But as i said, there is one extra router at server side office. How can it talk to VPN server and then to VPN clients.
    Server side clients can set to VPN server as GW but how can router point VPN server as GW?

    problem is i am routing all VPN clients' internet traffic via VPN server which forwards to another local router.
    (I asked this question in another post which you answered )

    So with NAT, VPN client can access internet which comes from secondary router at server side but then source address is getting changed and so my policies do not work.
    If i disable NAT and do routing, server side PCs might no have problem with defined GW but how can tell another router to point at VPN server?

    Also under static routes what should i type in "Destination network" and what should i select as Gateway.



  • Okay, you haven't mentioned before that you want direct the internet traffic from remote office clients over VPN.

    So you have to add also a route to your head offices WAN-gateway to direct packets addressed to the remote office subnet (192.168.17.0/xx) to the VPN router (192.168.2.9).
    At the VPN server you have also add a route by entering the remote office subnet at "IPv4 "Remote Network/s", if you haven't already done.



  • You said:
    "add also a route to your head offices WAN-gateway to direct packets addressed to the remote office subnet (192.168.17.0/xx) to the VPN router (192.168.2.9)"
    So do you mean to add this at VPN server?
    How do i do this?

    You also said:
    At the VPN server you have also add a route by entering the remote office subnet at "IPv4 "Remote Network/s", if you haven't already done.
    I already had that.
    I just went to VPN > OpenVPN by clicking edit button i verified that there is value 192.168.17.0/24 under  "IPv4 "Remote Network/s".
    So it was already there.



  • @sanketgroup:

    You said:
    "add also a route to your head offices WAN-gateway to direct packets addressed to the remote office subnet (192.168.17.0/xx) to the VPN router (192.168.2.9)"
    So do you mean to add this at VPN server?
    How do i do this?

    To your WAN gateway (Router 1)!
    This is for the responds from WAN host addresses to clients behind VPN in remote office. Since you do not NAT, the responses reaches the router. The router has stored the state
    Client address (e.g. 192.168.17.10) <> WAN host address
    So if a respond packet arrive it translates the destination address to 192.168.17.10 for instance.
    Without a route, it do not know, where the packet should be sent to, cause this address does not belong to a subnet assigned to any of its interfaces. Therefore you need that static route at your WAN router to tell him, where this packet has to be sent to.



  • ok, seems i solved this.
    One thing i am not able to do:

    As i said above, At client side, i want to route all internet traffic to server side.
    I found many ways to do this but got confused and does not work as i want.

    Some suggested process add NAT at client side, but this change source address when it reached to server side internet gateway.
    So i do not want to change source and do not want NAT.
    Then how would i forward all intenet traffic from client VPN to server.

    pls Let me know

    thanx



  • At the client side

    • assign an interface to your OpenVPN client
      Interfaces > (assign)
      at "Available network port" select the OpenVPN client (e.g. ovpnc1) and hit the +.
      a new interface appears in the list, click it, check enable interface, enter an appropriate description and click save and apply cha.

    • Add a gateway for the OpenVPN client
      System > Routing
      click the upper +, select the OpenVPN interface you have assigned, enter a name and save it and apply changes.

    • Add a firewall rule to direct the traffic over the VPN gateway
      if you have no other interfaces than LAN you can adapt you default any to any rule for LAN.
      Ensure you have the "Anti-lockout rule" at LAN tab.
      Edit the default any to any rule, go down to Gateway, click Advanced and select the new OpenVPN gateway. Save it and apply changes.



  • Perfect and all solved as i wanted.
    Really appreciate your help viragomann.

    Once again thanx…..


Log in to reply