Netgate SG-1000 microFirewall

Author Topic: ping from VPN segment issue  (Read 1087 times)

0 Members and 1 Guest are viewing this topic.

Offline cesjr

  • Jr. Member
  • **
  • Posts: 34
  • Karma: +1/-0
    • View Profile
ping from VPN segment issue
« on: September 20, 2016, 02:22:23 am »
Hi guys , I have two pfsense and one cisco router for MPLS-VPN , one of the pfsense running PPTP VPN service .

pfsense01:
LAN : 192.168.1.23
WAN: 59.Y.X.30 (static WAN IP )
PPTP WAN : 59.Y.X.3
PPTP LAN : 192.168.1.251

pfsense02:
LAN : 192.168.1.1
WAN : ADSL PPPOE
WAN2 : 118.163.Y.X (static WAN IP)

cisco router :
LAN : 192.168.1.253
This router is using for MPLS-VPN , I don't have premission to get in .

cllient01:
LAN : 192.168.1.20
GW : 192.168.1.23

client02:
LAN : 192.168.1.11
GW : 192.168.1.253

client03:
LAN : 192.168.1.240
GW : 192.168.1.1

It is very strange  , when I dial in PPTP VPN , I can ping 192.168.1.20 and  192.168.1.11 , but  192.168.1.240 was failed !
I noticed that , when I using tracert -d 192.168.1.20 or 192.168.1.11 , first it go to 59.Y.X.3 then get to 192.168.1.20 and .11
On the otherside , the tracert to 192.168.1.240 will be stuck in 59.Y.X.3 , and then it time out !

If I tracert from 192.168.1.20 and 192.168.11 , first it go to 192.168.1.23 , then get to 192.168.1.251 !
Why they knew how to go 192.168.1.251 , especially the 192.168.1.11 's gateway is 192.168.1.253 !

« Last Edit: September 20, 2016, 02:27:53 am by cesjr »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14420
  • Karma: +1335/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: ping from VPN segment issue
« Reply #1 on: September 20, 2016, 01:22:31 pm »
"first it go to 59.Y.X.3 then get to 192.168.1.20"

How is that?? So your using public IP space in your tunnel?

When you traceroute to something on the other side of the tunnel you should be inside your tunnel, you shouldn't see public space.. Unless your using public space in your tunnel.  Which why??

C:\>tracert -d 192.168.9.100

Tracing route to 192.168.9.100 over a maximum of 30 hops

  1   169 ms   161 ms   170 ms  10.0.8.1
  2   218 ms   178 ms   158 ms  192.168.9.100

Trace complete.

I would suggest couple of things.  Starters update your pfsense.. What version are you on that pptp is still and option?  Why would you still be using pptp.. You know its been dead for years..  It is not a secure vpn solution..  There was widely publicized tool back in 2012 that pretty much made it clickity clickity to gain access. 

shoot there was even a sticky about it back then that is still there
https://forum.pfsense.org/index.php?topic=54255.0
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline cesjr

  • Jr. Member
  • **
  • Posts: 34
  • Karma: +1/-0
    • View Profile
Re: ping from VPN segment issue
« Reply #2 on: September 20, 2016, 08:31:09 pm »
I think it is because I using public IP on Server address setting .
I think I have to supply a public IP on that (different from curently WAN interface) , so the user can enter this IP for conncetion .
So as you say , I think I need to change it to a private IP .
This is a very old pfsense server , I alreadly move it to openvpn , but in  this situation , I have to let some users conntinue access it .
Thanks your suggestion .
B.R.
« Last Edit: September 20, 2016, 09:25:21 pm by cesjr »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14420
  • Karma: +1335/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: ping from VPN segment issue
« Reply #3 on: September 21, 2016, 10:32:09 am »
"I have to let some users conntinue access it "

Your not doing them or yourself any favors using a vpn solution that has been dead for going on 5 years..

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)