next »

[Thibaut]

thanks for your help

But my firewall on PC2 is disable ...

I can see the request from 192.168.2.6 to 192.168.1.245 with tcpdump of pfSense, but not the reply.

[Cry Havok]

Then your problem is with the host 192.168.1.245.  Check that it's default gateway is correct, check to see that it's receiving the packets, do all the basic troubleshooting steps on that host.

[Thibaut]

The problem doesn't become on that host because there is the same problem with an other PC with an other IP address...

thx for your help ...

[Cry Havok]

Well, start there.  If you're seeing packets enter the LAN but not return to pfSense then something you've posted here is obviously wrong.  The three possibilities are:

1) The hosts don't use the pfSense host as their default gateway
2) The static routes on the LAN clients are wrong
3) They run firewalls

Eliminate those one at a time, what's left is the only possibility.

[Thibaut]

2) The static routes on the LAN clients

What's that ? 

[Cry Havok]

Static routes tell clients how to reach networks that are attached to something other than your default gateway.

[BrianBonnell]

I had this same problem, but when I added all my hosts that I wanted the VPN clients to be able to contact to the DNS Forwarder list, I was able to ping and connect to the LAN side from the VPN Client side, when i removed those entries..I also lost my connectivity to those LAN elements. Not sure why but it seem that the host you want to be able to access via the VPN have to be listed in the DNS Forwarder also. Bug? not sure, but adding them fixed my issue.

[Thibaut]

Hi and thanks for your help !

I represent my configuration, because i'm not able to solve the probleme :

VPN Server configuration file :

Code:

writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 192.168.2.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 192.168.1.0 255.255.255.0"
lport 1194
push "dhcp-option DISABLE-NBT"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
persist-remote-ip
float

Client configuration file :

Code:

client
dev tun
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /home/thibaut/ca.crt
cert /home/thibaut/client1.crt
key /home/thibaut/client1.key
verb 3

Client netstat -rn when it's connect to vpn server :

Code:

Destination     Passerelle      Genmask         Indic   MSS Fenêtre irtt Iface
192.168.2.1     192.168.2.5     255.255.255.255 UGH       0 0          0 tun0
192.168.2.5     0.0.0.0         255.255.255.255 UH        0 0          0 tun0
172.16.119.0    0.0.0.0         255.255.255.0   U         0 0          0 vmnet1
192.168.1.0     192.168.2.5     255.255.255.0   UG        0 0          0 tun0
172.16.74.0     0.0.0.0         255.255.255.0   U         0 0          0 vmnet8
10.187.88.0     0.0.0.0         255.255.252.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         10.187.88.245   0.0.0.0         UG        0 0          0 eth0

Ping a PC with address 192.168.1.144 (report with tcpdump in pfSense) :

Code:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on le0, link-type EN10MB (Ethernet), capture size 96 bytes
09:23:57.352592 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43
09:23:57.725277 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 7, length 64
09:23:58.723015 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 8, length 64
09:23:59.408489 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43
09:23:59.716733 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 9, length 64
09:24:00.716003 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 10, length 64
09:24:01.416434 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43
09:24:01.709148 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 11, length 64
^C
8 packets captured
9 packets received by filter
0 packets dropped by kernel

ipconfig /all on my Windows PC which as 192.168.1.144 :

Code:

Carte Ethernet Connexion réseau sans fil:

        Suffixe DNS propre à la connexion : valadon.lan
        Description . . . . . . . . . . . : NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter
        Adresse physique . . . . . . . . .: 00-1B-2F-42-AE-DB
        DHCP activé. . . . . . . . . . . : Oui
        Configuration automatique activée . . . . : Oui
        Adresse IP. . . . . . . . . . . . : 192.168.1.144
        Masque de sous-réseau . . . . . . : 255.255.255.0
        Passerelle par défaut . . . . . . : 192.168.1.254
        Serveur DHCP. . . . . . . . . . . : 192.168.1.254
        Serveurs DNS . . . . . . . . . .  : 192.168.1.254
        Serveur WINS principal. . . . . . : 10.187.88.4
        Bail obtenu . . . . . . . . . . . : mardi 5 mai 2009 09:03:38
        Bail expirant . . . . . . . . . . : mardi 5 mai 2009 11:03:38

ifconfig on my linux client :

Code:

ath0      Link encap:Ethernet  HWaddr 00:15:af:59:60:78 
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          Packets reçus:522 erreurs:0 :0 overruns:0 frame:0
          TX packets:366 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          Octets reçus:191752 (187.2 KB) Octets transmis:52773 (51.5 KB)

eth0      Link encap:Ethernet  HWaddr 00:1e:8c:28:4d:9c 
          inet adr:10.187.91.250  Bcast:10.187.91.255  Masque:255.255.252.0
          adr inet6: fe80::21e:8cff:fe28:4d9c/64 Scope:Lien
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Packets reçus:47532 erreurs:0 :0 overruns:0 frame:0
          TX packets:24031 errors:0 dropped:0 overruns:0 carrier:13
          collisions:0 lg file transmission:1000
          Octets reçus:20305549 (19.3 MB) Octets transmis:0 (0.0 B)
          Mémoire:feac0000-feb00000

lo        Link encap:Boucle locale 
          inet adr:127.0.0.1  Masque:255.0.0.0
          adr inet6: ::1/128 Scope:Hôte
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          Packets reçus:3217 erreurs:0 :0 overruns:0 frame:0
          TX packets:3217 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          Octets reçus:167880 (163.9 KB) Octets transmis:167880 (163.9 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet adr:192.168.2.6  P-t-P:192.168.2.5  Masque:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          Packets reçus:21 erreurs:0 :0 overruns:0 frame:0
          TX packets:389 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100
          Octets reçus:1194 (1.1 KB) Octets transmis:32110 (31.3 KB)

vmnet1    Link encap:Ethernet  HWaddr 00:50:56:c0:00:01 
          inet adr:172.16.119.1  Bcast:172.16.119.255  Masque:255.255.255.0
          adr inet6: fe80::250:56ff:fec0:1/64 Scope:Lien
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
          TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:1000
          Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)

vmnet8    Link encap:Ethernet  HWaddr 00:50:56:c0:00:08 
          inet adr:172.16.74.1  Bcast:172.16.74.255  Masque:255.255.255.0
          adr inet6: fe80::250:56ff:fec0:8/64 Scope:Lien
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
          TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:1000
          Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)

wifi0     Link encap:UNSPEC  HWaddr 00-15-AF-59-60-78-00-00-00-00-00-00-00-00-00-00 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Packets reçus:57444 erreurs:0 :0 overruns:0 frame:3848
          TX packets:2361 errors:20 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:280
          Octets reçus:6565866 (6.2 MB) Octets transmis:152379 (148.8 KB)

ifconfig on my pfSenseBox :

Code:

le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:0c:29:c2:6b:1e
inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fec2:6b1e%le0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect
status: active
le1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:0c:29:c2:6b:28
inet 10.187.88.9 netmask 0xfffffc00 broadcast 10.187.91.255
inet6 fe80::20c:29ff:fec2:6b28%le1 prefixlen 64 scopeid 0x2
media: Ethernet autoselect
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pflog0: flags=100<PROMISC> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
inet6 fe80::20c:29ff:fec2:6b1e%tun0 prefixlen 64 scopeid 0x8
inet 192.168.2.1 --> 192.168.2.2 netmask 0xffffffff
Opened by PID 2478

So with this configuration, i'm not able to ping 192.168.1.144 since 192.168.2.6 ...

[Cry Havok]

On the Windows PC, what does netstat -rn show?

I'll say it again - if you're not seeing packets back into the pfSense host from the Windows host then the problem is not with OpenVPN, or the remote client.  The problem is entirely in your local network and almost certainly on the Windows host.

[Thibaut]

result of the netstat -rn on Windows PC :

Code:

Table de routage
===========================================================================
Liste d'Interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 c5 a5 3e 96 ...... Broadcom 440x 10/100 Integrated Controller - Min
iport d'ordonnancement de paquets
0x20004 ...00 1b 2f 42 ae db ...... NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adap
ter - Miniport d'ordonnancement de paquets
===========================================================================
===========================================================================
Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
          0.0.0.0          0.0.0.0    192.168.1.254   192.168.1.144       25
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.1.144   192.168.1.144       25
    192.168.1.144  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.1.255  255.255.255.255    192.168.1.144   192.168.1.144       25
        224.0.0.0        240.0.0.0    192.168.1.144   192.168.1.144       25
  255.255.255.255  255.255.255.255    192.168.1.144               2       1
  255.255.255.255  255.255.255.255    192.168.1.144   192.168.1.144       1
Passerelle par défaut :     192.168.1.254
===========================================================================
Itinéraires persistants :
  Aucun

[Cry Havok]

So, you have the correct default gateway.

This means that the probability is that you still have the firewall running.  Trying pinging the Windows host from the pfSense host.

[Thibaut]

When i ping the Windows Host with pfSense, it replies ... 

[Cry Havok]

Then it's time to install Wireshark on the Windows host and do a packet capture there.

[Thibaut]

YES it works !

I find my mistake : the captive portal was enable in LAN, so the host (which were not authenticate) can't reply to my client...

Very thanks for your help and for your patience !

[Cry Havok]

Happy to help somebody who's willing to listen