Pfsense 2.1 OpenVPN can't reach servers on the LAN
Posted
by
Lucas Kauffman
on Server Fault
See other posts from Server Fault
or by Lucas Kauffman
Published on 2013-10-29T08:22:29Z
Indexed on
2013/10/29
9:57 UTC
Read the original article
Hit count: 463
I have a small network set up like this:
I have a Pfsense for connecting my servers to the WAN, they are using NAT from the LAN -> WAN.
I have an OpenVPN server using TAP to allow remote workers to be put on the same LAN network as the servers.
- They connect through the WAN IP to the OVPN interface.
- The LAN interface also servers as the gateway for the servers to get internet connection and has an IP of 10.25.255.254
- The OVPN Interface and the LAN interface are bridged in BR0
- Server A has an IP of 10.25.255.1 and is able to connect the internet
- Client A is connecting through the VPN and is assigned an IP address on its TAP interface of 10.25.24.1 (I reserved a /24 within the 10.25.0.0/16 for VPN clients)
- Firewall currently allows any-any connection OVPN towards LAN and vice versa
Currently when I connect, all routes seem fine on the client side:
Destination Gateway Genmask Flags Metric Ref Use Iface
300.300.300.300 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.25.0.0 10.25.255.254 255.255.0.0 UG 0 0 0 tap0
10.25.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tap0
0.0.0.0 300.300.300.300 0.0.0.0 UG 0 0 0 eth0
I can ping the LAN interface:
root@server:# ping 10.25.255.254
PING 10.25.255.254 (10.25.255.254) 56(84) bytes of data.
64 bytes from 10.25.255.254: icmp_req=1 ttl=64 time=7.65 ms
64 bytes from 10.25.255.254: icmp_req=2 ttl=64 time=7.49 ms
64 bytes from 10.25.255.254: icmp_req=3 ttl=64 time=7.69 ms
64 bytes from 10.25.255.254: icmp_req=4 ttl=64 time=7.31 ms
64 bytes from 10.25.255.254: icmp_req=5 ttl=64 time=7.52 ms
64 bytes from 10.25.255.254: icmp_req=6 ttl=64 time=7.42 ms
But I can't ping past the LAN interface:
root@server:# ping 10.25.255.1
PING 10.25.255.1 (10.25.255.1) 56(84) bytes of data.
From 10.25.255.254: icmp_seq=1 Redirect Host(New nexthop: 10.25.255.1)
From 10.25.255.254: icmp_seq=2 Redirect Host(New nexthop: 10.25.255.1)
I ran a tcpdump on my em1 interface (LAN interface which has the IP of 10.25.255.254)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
08:21:13.449222 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 10, length 64
08:21:13.458211 ARP, Request who-has 10.25.255.1 tell 10.25.24.1, length 28
08:21:14.450541 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 11, length 64
08:21:14.458431 ARP, Request who-has 10.25.255.1 tell 10.25.24.1, length 28
08:21:15.451794 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 12, length 64
08:21:15.458530 ARP, Request who-has 10.25.255.1 tell 10.25.24.1, length 28
08:21:16.453203 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 13, length 64
So traffic is reaching the LAN interface, but it's not getting passed it.
But no answer from the 10.25.255.1 host. I'm not sure what I'm missing.
© Server Fault or respective owner
