I had a similar problem where pfSense wouldn't route packets to remote LAN over tunnel (it was due to a gateway issue and it wasn't using the default routes) I think someone mentioned a similar issue. Maybe it would be worth trying adding an additional gateway (10.100.8.1 or .2 depending on which side) Then add a FW rule on the LAN interface specifying that is use that gateway for the traffic.
On Thu, Dec 20, 2012 at 8:28 AM, Cristian Del Carlo < cristian.delca...@gmail.com> wrote: > In lan e openvpn i have only one rule that pass everything. > > This problem make me crazy.... > > 2012/12/20 WolfSec-Support <supp...@wolfsec.ch>: > > can you open also all trafic lan > internet / remove other blocking > rules, > > and try again > > > > routing table was fine on your post. > > > > brgds > > > > stephan > > > > > > 2012/12/20 Cristian Del Carlo <cristian.delca...@gmail.com> > >> > >> 100% sure, the 2 boxes are the gateway of the two lans. > >> > >> If from a client in lan i do: > >> # ping 192.168.8.10 ( a client in the other network) > >> > >> I see the packets in the interface LAN of the pfsense but the packets > >> are not routed in the tunnel vpn. > >> > >> If i do : > >> > >> tcpdump -i em1 (lan of pfsense) > >> > >> I see the packets. > >> > >> If i do: > >> > >> tcpdump -i ovpnc2 > >> > >> I don't see nothing. > >> > >> Thanks for your help. > >> > >> 2012/12/20 WolfSec-Support <supp...@wolfsec.ch>: > >> > again: > >> > make 100% sure gateway information is correct on clients > >> > > >> > and: > >> > check arp cache if client is seen after your try/ping > >> > > >> > so we can make sure the problem is only in your box(es) > >> > > >> > rgds > >> > stephan > >> > > >> > > >> > > >> > 2012/12/20 Cristian Del Carlo <cristian.delca...@gmail.com> > >> >> > >> >> Another information. > >> >> > >> >> If from a client in lan i do: > >> >> # ping 192.168.8.10 ( a client in the other network) > >> >> > >> >> And in pfsense (client openvpn): > >> >> tcpdump -i ovpnc2 > >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol > >> >> decode > >> >> listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 > >> >> bytes > >> >> 0 packets captured > >> >> 0 packets received by filter > >> >> 0 packets dropped by kernel > >> >> > >> >> I can't see any packet. It Is like the packets is not routed under > the > >> >> tunnel. > >> >> But i don't know why and how fix the problem. > >> >> > >> >> If i use the command: > >> >> tcpdump -i pflog0 icmp > >> >> tcpdump: WARNING: pflog0: no IPv4 address assigned > >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol > >> >> decode > >> >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture > size > >> >> 96 > >> >> bytes > >> >> 0 packets captured > >> >> > >> >> I can't see any packets blocked by the firewall. > >> >> > >> >> Thanks for your help. > >> >> > >> >> 2012/12/20 Cristian Del Carlo <cristian.delca...@gmail.com>: > >> >> > Hi try this configuration but i hace the same problem i am very > >> >> > confused. > >> >> > > >> >> > This is my network: > >> >> > > >> >> > lan1 192.168.9.0 <---> pfsense1 (client openvpn) <--> pfsense2 > >> >> > (server openvpn) <--> lan 2 192.168.8.0 > >> >> > > >> >> > This are now with certificates my configuration files: > >> >> > > >> >> > Pfsense server: > >> >> > > >> >> > /var/etc/openvpn/server1.conf > >> >> > > >> >> > dev ovpns1 > >> >> > dev-type tun > >> >> > dev-node /dev/tun1 > >> >> > writepid /var/run/openvpn_server1.pid > >> >> > #user nobody > >> >> > #group nobody > >> >> > script-security 3 > >> >> > daemon > >> >> > keepalive 10 60 > >> >> > ping-timer-rem > >> >> > persist-tun > >> >> > persist-key > >> >> > proto udp > >> >> > cipher AES-128-CBC > >> >> > up /usr/local/sbin/ovpn-linkup > >> >> > down /usr/local/sbin/ovpn-linkdown > >> >> > local X.X.X.X > >> >> > tls-server > >> >> > ifconfig 10.0.8.1 10.0.8.2 > >> >> > tls-verify /var/etc/openvpn/server1.tls-verify.php > >> >> > lport 1195 > >> >> > management /var/etc/openvpn/server1.sock unix > >> >> > ca /var/etc/openvpn/server1.ca > >> >> > cert /var/etc/openvpn/server1.cert > >> >> > key /var/etc/openvpn/server1.key > >> >> > dh /etc/dh-parameters.1024 > >> >> > comp-lzo > >> >> > route 192.168.9.0 255.255.255.0 > >> >> > push "route 192.168.8.0 255.255.255.0" > >> >> > > >> >> > /var/etc/openvpn-csc/fw-target > >> >> > > >> >> > iroute 192.168.9.0 255.255.255.0 > >> >> > > >> >> > Pfsense client: > >> >> > > >> >> > /var/etc/openvpn/client2.conf > >> >> > > >> >> > dev ovpnc2 > >> >> > dev-type tun > >> >> > dev-node /dev/tun2 > >> >> > writepid /var/run/openvpn_client2.pid > >> >> > #user nobody > >> >> > #group nobody > >> >> > script-security 3 > >> >> > daemon > >> >> > keepalive 10 60 > >> >> > ping-timer-rem > >> >> > persist-tun > >> >> > persist-key > >> >> > proto udp > >> >> > cipher AES-128-CBC > >> >> > up /usr/local/sbin/ovpn-linkup > >> >> > down /usr/local/sbin/ovpn-linkdown > >> >> > local X.X:X.X > >> >> > tls-client > >> >> > client > >> >> > lport 0 > >> >> > management /var/etc/openvpn/client2.sock unix > >> >> > remote X.X.X.X 1195 > >> >> > ifconfig 10.0.8.2 10.0.8.1 > >> >> > route 192.168.8.0 255.255.255.0 > >> >> > ca /var/etc/openvpn/client2.ca > >> >> > cert /var/etc/openvpn/client2.cert > >> >> > key /var/etc/openvpn/client2.key > >> >> > comp-lzo > >> >> > > >> >> > Thanks for your help. > >> >> > > >> >> > > >> >> > 2012/12/19 bruno.deb...@cyberoso.com <bruno.deb...@cyberoso.com>: > >> >> >> Ok, then no firewall rules forcing gateway, so let's try something > >> >> >> else. > >> >> >> > >> >> >> Did you configure iroute ? > >> >> >> > >> >> >> > http://openvpn.net/index.php/open-source/documentation/howto.html#scope > >> >> >> Read : Including multiple machines on the client side when using a > >> >> >> routed VPN > >> >> >> > >> >> >> It might work :-p > >> >> >> > >> >> >> > >> >> >> Le Wed, 19 Dec 2012 15:19:25 +0100, > >> >> >> Cristian Del Carlo <cristian.delca...@gmail.com> a écrit : > >> >> >> > >> >> >>> Hi, > >> >> >>> > >> >> >>> Thanks for your help. > >> >> >>> > >> >> >>> Even in LAN i have : > >> >> >>> My firewall rules are in both pfsense: > >> >> >>> Action: Pass > >> >> >>> Interface : LAN > >> >> >>> Protocol: Any > >> >> >>> Source: Any > >> >> >>> Destionation: Any > >> >> >>> > >> >> >>> If i ping the tunnel from a client seem ok: > >> >> >>> > >> >> >>> ping 10.0.8.1 --> Ok > >> >> >>> ping 10.8.8.2 --> OK > >> >> >>> ping 192.168.8.X --> 100% packet loss > >> >> >>> > >> >> >>> Thanks. > >> >> >>> > >> >> >>> 2012/12/19 WolfSec-Support <supp...@wolfsec.ch>: > >> >> >>> > may there are any fw rules there in LAN interface with similar > >> >> >>> > IP's/networks ? > >> >> >>> > some used this under 1.2.x and after upgrading to 2.x this > caused > >> >> >>> > issues. > >> >> >>> > > >> >> >>> > onto routing: > >> >> >>> > > >> >> >>> > looks good > >> >> >>> > > >> >> >>> > here a similar setup of mine / 1 side: > >> >> >>> > > >> >> >>> > 192.168.253.13 link#13 UH 0 0 1500 > ovpnc1 > >> >> >>> > 192.168.253.14 link#13 UHS 0 0 16384 > lo0 > >> >> >>> > 192.168.0.0/16 192.168.253.13 UGS 0 4151616 > >> >> >>> > 1500 > >> >> >>> > ovpnc1 > >> >> >>> > 192.168.242.0/24 link#1 U 0 1191195015 > 1500 > >> >> >>> > vr0 > >> >> >>> > > >> >> >>> > rgds > >> >> >>> > stephan > >> >> >>> > > >> >> >>> > > >> >> >>> > > >> >> >>> > > >> >> >>> > 2012/12/19 Cristian Del Carlo <cristian.delca...@gmail.com> > >> >> >>> >> > >> >> >>> >> Hi, > >> >> >>> >> > >> >> >>> >> thanks for your help. > >> >> >>> >> > >> >> >>> >> My firewall rules are in both pfsense: > >> >> >>> >> Action: Pass > >> >> >>> >> Interface : Openvpn > >> >> >>> >> Protocol: Any > >> >> >>> >> Source: Any > >> >> >>> >> Destionation: Any > >> >> >>> >> > >> >> >>> >> This are my routing from firewall ( without public ip ): > >> >> >>> >> > >> >> >>> >> pfsense 1 - client: > >> >> >>> >> 10.0.8.1 link#10 UH 0 15 > >> >> >>> >> ovpnc2 > >> >> >>> >> 10.0.8.2 link#10 UHS 0 0 > >> >> >>> >> lo0 > >> >> >>> >> 192.168.8.0/24 10.0.8.1 UGS 0 45 > >> >> >>> >> ovpnc2 > >> >> >>> >> 192.168.9.0/24 link#2 U 0 37598040 > >> >> >>> >> em1 > >> >> >>> >> > >> >> >>> >> pfsense 2 - server: > >> >> >>> >> 10.0.8.1 link#9 UHS 0 0 > >> >> >>> >> lo0 > >> >> >>> >> 10.0.8.2 link#9 UH 0 72 > >> >> >>> >> ovpns1 > >> >> >>> >> 192.168.8.0/24 link#2 U 0 229122 > >> >> >>> >> em1 > >> >> >>> >> 192.168.8.1 link#2 UHS 0 0 > >> >> >>> >> lo0 > >> >> >>> >> 192.168.9.0/24 10.0.8.2 UGS 0 1 > >> >> >>> >> ovpns1 > >> >> >>> >> > >> >> >>> >> Could be a routing problem? > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> 2012/12/19 WolfSec-Support <supp...@wolfsec.ch>: > >> >> >>> >> > Hi, > >> >> >>> >> > > >> >> >>> >> > do you have special rules in VPN tunnel ? > >> >> >>> >> > make sure to open OpenVPN ruleset as necessary > >> >> >>> >> > > >> >> >>> >> > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels > >> >> >>> >> > > >> >> >>> >> > but per default normally tunnel is open any<>any > >> >> >>> >> > > >> >> >>> >> > br > >> >> >>> >> > stephan > >> >> >>> >> > > >> >> >>> >> > > >> >> >>> >> > _______________________________________________ > >> >> >>> >> > List mailing list > >> >> >>> >> > List@lists.pfsense.org > >> >> >>> >> > http://lists.pfsense.org/mailman/listinfo/list > >> >> >>> >> > > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> -- > >> >> >>> >> -------------------------------------------------------- > >> >> >>> >> > >> >> >>> >> Cristian Del Carlo > >> >> >>> >> > >> >> >>> >> Il testo e gli eventuali documenti trasmessi contengono > >> >> >>> >> informazioni riservate al destinatario indicato. La seguente > >> >> >>> >> e-mail è confidenziale e la sua riservatezza è tutelata > >> >> >>> >> legalmente > >> >> >>> >> dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela > >> >> >>> >> della > >> >> >>> >> privacy). La lettura, copia o altro uso non autorizzato o > >> >> >>> >> qualsiasi altra azione derivante dalla conoscenza di queste > >> >> >>> >> informazioni sono rigorosamente vietate. Qualora abbiate > >> >> >>> >> ricevuto > >> >> >>> >> questo documento per errore siete cortesemente pregati di > darne > >> >> >>> >> immediata comunicazione al mittente e di provvedere, > >> >> >>> >> immediatamente, alla sua distruzione. > >> >> >>> >> > >> >> >>> >> -------------------------------------------------------- > >> >> >>> >> _______________________________________________ > >> >> >>> >> List mailing list > >> >> >>> >> List@lists.pfsense.org > >> >> >>> >> http://lists.pfsense.org/mailman/listinfo/list > >> >> >>> > > >> >> >>> > > >> >> >>> > > >> >> >>> > > >> >> >>> > -- > >> >> >>> > > >> >> >>> > Stephan Wolf > >> >> >>> > > >> >> >>> > WolfSec > >> >> >>> > Rairing 65 > >> >> >>> > CH-8108 Dällikon > >> >> >>> > > >> >> >>> > +41 43 536 1191 > >> >> >>> > +41 76 566 8222 > >> >> >>> > http://www.wolfsec.ch > >> >> >>> > _______________________________________________ > >> >> >>> > List mailing list > >> >> >>> > List@lists.pfsense.org > >> >> >>> > http://lists.pfsense.org/mailman/listinfo/list > >> >> >>> > > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >> _______________________________________________ > >> >> >> List mailing list > >> >> >> List@lists.pfsense.org > >> >> >> http://lists.pfsense.org/mailman/listinfo/list > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > -------------------------------------------------------- > >> >> > > >> >> > Cristian Del Carlo > >> >> > > >> >> > Il testo e gli eventuali documenti trasmessi contengono > informazioni > >> >> > riservate al destinatario indicato. La seguente e-mail è > >> >> > confidenziale e > >> >> > la sua riservatezza è tutelata legalmente dal Decreto Legislativo > 196 > >> >> > del 30/06/2003 (Codice di tutela della privacy). La lettura, copia > o > >> >> > altro uso non autorizzato o qualsiasi altra azione derivante dalla > >> >> > conoscenza di queste informazioni sono rigorosamente vietate. > Qualora > >> >> > abbiate ricevuto questo documento per errore siete cortesemente > >> >> > pregati > >> >> > di darne immediata comunicazione al mittente e di provvedere, > >> >> > immediatamente, alla sua distruzione. > >> >> > > >> >> > -------------------------------------------------------- > >> >> > >> >> > >> >> > >> >> -- > >> >> -------------------------------------------------------- > >> >> > >> >> Cristian Del Carlo > >> >> > >> >> Il testo e gli eventuali documenti trasmessi contengono informazioni > >> >> riservate al destinatario indicato. La seguente e-mail è > confidenziale > >> >> e > >> >> la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 > >> >> del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o > >> >> altro uso non autorizzato o qualsiasi altra azione derivante dalla > >> >> conoscenza di queste informazioni sono rigorosamente vietate. Qualora > >> >> abbiate ricevuto questo documento per errore siete cortesemente > pregati > >> >> di darne immediata comunicazione al mittente e di provvedere, > >> >> immediatamente, alla sua distruzione. > >> >> > >> >> -------------------------------------------------------- > >> >> _______________________________________________ > >> >> List mailing list > >> >> List@lists.pfsense.org > >> >> http://lists.pfsense.org/mailman/listinfo/list > >> > > >> > > >> > > >> > > >> > -- > >> > > >> > Stephan Wolf > >> > > >> > WolfSec > >> > Rairing 65 > >> > CH-8108 Dällikon > >> > > >> > +41 43 536 1191 > >> > +41 76 566 8222 > >> > http://www.wolfsec.ch > >> > > >> > _______________________________________________ > >> > List mailing list > >> > List@lists.pfsense.org > >> > http://lists.pfsense.org/mailman/listinfo/list > >> > > >> > >> > >> > >> -- > >> -------------------------------------------------------- > >> > >> Cristian Del Carlo > >> > >> Il testo e gli eventuali documenti trasmessi contengono informazioni > >> riservate al destinatario indicato. La seguente e-mail è confidenziale e > >> la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 > >> del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o > >> altro uso non autorizzato o qualsiasi altra azione derivante dalla > >> conoscenza di queste informazioni sono rigorosamente vietate. Qualora > >> abbiate ricevuto questo documento per errore siete cortesemente pregati > >> di darne immediata comunicazione al mittente e di provvedere, > >> immediatamente, alla sua distruzione. > >> > >> -------------------------------------------------------- > >> _______________________________________________ > >> List mailing list > >> List@lists.pfsense.org > >> http://lists.pfsense.org/mailman/listinfo/list > > > > > > > > > > -- > > > > Stephan Wolf > > > > WolfSec > > Rairing 65 > > CH-8108 Dällikon > > > > +41 43 536 1191 > > +41 76 566 8222 > > http://www.wolfsec.ch > > > > _______________________________________________ > > List mailing list > > List@lists.pfsense.org > > http://lists.pfsense.org/mailman/listinfo/list > > > > > > -- > -------------------------------------------------------- > > Cristian Del Carlo > > Il testo e gli eventuali documenti trasmessi contengono informazioni > riservate al destinatario indicato. La seguente e-mail è confidenziale e > la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 > del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o > altro uso non autorizzato o qualsiasi altra azione derivante dalla > conoscenza di queste informazioni sono rigorosamente vietate. Qualora > abbiate ricevuto questo documento per errore siete cortesemente pregati > di darne immediata comunicazione al mittente e di provvedere, > immediatamente, alla sua distruzione. > > -------------------------------------------------------- > _______________________________________________ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list >
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list