pfsense site to site VPN connected but traffic not passing

tigweld0101

Active Member
Apr 18, 2015
113
35
28
53
I am at a bit of a loss here. I have a pfsense peer to peer / site to site network going right now. It's showing up on both the client and server side. Minimal traffic received.

Server - UDP
Local: 10.0.10.0/23
Remote: 192.168.1.0/24
Tunnel: 192.168.254/24

Client - UDP
Local: 192.168.1.0/24
Remote: 10.0.10.0/23
Tunnel: 192.168.254/24

So where I'm confused here is why I cannot do ping 10.0.10.1 and see anything on the other end.

Firewall > Rules > OpenVPN has:

Action: Pass
Interface: OpenVPN
TCP/IP Version: IPv4
Protocol: any
Source and Destination both are set to any.

I have the same setup on both sides of the network. Any idea why this is not working? It did authenticate so that isn't the issue. This is the last bit I'd need before I'd be ready to colo it.
 

TangoWhiskey9

Active Member
Jun 28, 2013
402
59
28
Make sure you remove all FW rules under "OpenVPN" tab. Set up your FW rules when you create your connections as Interfaces.
I had a similar issue to the OP. I don't understand this though. Don't you do OpenVPN then IPV4 pass all?
 

tigweld0101

Active Member
Apr 18, 2015
113
35
28
53
You configure your rules on the connection interface not on the "OpenVPN" interface. You add the interface via Interfaces->(assign) then click "add interface".
On the local machine I added OPT1 then did a firewall rule to pass all. Still cannot ping to the remote net.
OPT1 interface.JPG OPT1 interface pass rule.JPG
 

BThunderW

Active Member
Jul 8, 2013
237
25
28
Canada, eh?
www.copyerror.com
Do it on both sides. Are you using Diagnostics->Ping to check the connectivity? Look at your Routes on both sides to make sure that the packets are properly sent via the VPN connection. Also remember that packets need a return route so the remote network needs to know how to route 192.168.1.0

From Diagnostics-Ping you should be able to ping the remote tunnel IP.
 
  • Like
Reactions: tigweld0101

tigweld0101

Active Member
Apr 18, 2015
113
35
28
53
Do it on both sides. Are you using Diagnostics->Ping to check the connectivity? Look at your Routes on both sides to make sure that the packets are properly sent via the VPN connection. Also remember that packets need a return route so the remote network needs to know how to route 192.168.1.0

From Diagnostics-Ping you should be able to ping the remote tunnel IP.
Still nothing... I saw your thread here. 2 pfSense + Site to Site VPN + NAT

Why is this so hard!!
 

BThunderW

Active Member
Jul 8, 2013
237
25
28
Canada, eh?
www.copyerror.com
Old thread. NAT is not required. As long as the gateways are configured properly. Look at Diagnostics->Routes and make sure you all your gateways are properly defined. One thing I did notice with pfSense is that if you mess as lot with OpenVPN config the stack gets corrupted and sometimes requires a reboot of the FWs.
 
  • Like
Reactions: tigweld0101

tigweld0101

Active Member
Apr 18, 2015
113
35
28
53
OK reboot and nothing. I cannot even ping 10.0.10.1.

Did you have a good step by step w/ pics? I want to just redo now. But it doesn't seem like there's a good 2.1 and newer guide.
 

tigweld0101

Active Member
Apr 18, 2015
113
35
28
53
Progress! I still think I want to re-do but now I can ping 10.0.10.1 from the client pfsense. Status -> Ping tool!

Clients are not getting it though.
 

tigweld0101

Active Member
Apr 18, 2015
113
35
28
53
Can you post pics of your Diagnostics-Route output on both sides? You can blank out any public IPs.
You just got like trained! So I was blanking out my public IPs and I saw one of my other OpenVPN attempts on the local box had three routes but my new one only had 1. I disabled the other ones (one I use for client specific remote access so still need to figure hat out...) and site to site worked!
 

BThunderW

Active Member
Jul 8, 2013
237
25
28
Canada, eh?
www.copyerror.com
I'll skip the details of creating the actual OpenVPN connections. But typically you want
* Peer to Peer (SSL/TLS)
* UDP
* TUN

Server (remote)
IPV4 Tunnel Network - range of IP's not used anywhere else, I typically use 172.16 range for this
IPV4 Local Network - LAN range you want to connect to
Leave the rest empty.
In "Advanced" specify the ip ranges that the CLIENT is using:


Client (local)
IPV4 Tunnel Network (same as server)
Leave the rest empty
Advanced, IP ranges the SERVER is handling


Once the connections are established. On each side go to Interfaces->(assign) and add the interface.
Configure the interfaces:

Server:


Client:
IPV4 Address - IP from the remote range
Gateway (remote gateway, you might have to add it manually)


Next go to Firewall->Rules
Leave the OpenVPN rules empty on both sides



For each sides' interfaces allow ALL IPv4 (for now)


And that's it. It should work. If you're still having issues. Verify that the remote IP ranges and gateway shows up in Diagnostic-Routes

Server:


Client: