OPNsense Forum
English Forums => General Discussion => Topic started by: Groveld on August 05, 2015, 01:00:30 pm
-
I have a problem with my setup, where i can connect to my VPN and have a fully functioning internet connection trough it, BUT cannot ping anything other than my OPNsense box on my LAN...
i have setup my firewall so that it allows all traffic from and to all interfaces (LAN, DMZ, OPENVPN).
vpn didn't work at first, i had to provide an dns server even when i only access ip adresses directly, this is only tru for the opnsense box since i can't ping anything other than that on the lan network.
when i check my client's config, i see the remote network in the routing table.
is this some sort of rookie mistake where ik overlooked something simple? or is it more like a bug?
for now internet is working for me, but i would like to use it as a real vpn, not just as a secure tunnel to the internet :(
many thanks in advance!
-
add this under advanced in the openvpn server tab in the opnsense
push "route 192.168.xx.0 255.255.255.0";
for every network you want to access throw the vpn
-
I will try this, but doesn't the "IPv4 Local Network/s" entry the exact same thing?
-
It didn't work, now i can't even ping my OPNsense box...
here is a screenshot of the settings of my VPN:
(http://i.imgur.com/bu4CIm1.png)
-
the "IPv4 Local Network/s" entry should do this but it didn't work for me so i set this under advanced and it worked mhh:/. I just checked all your settings everything is equal except the DNS Server, i didn't need one so i didn't set it up.
Can you post your FW settings?
-
Some screenshots of my firewall rules...
-
yup also ok MHH :/
-
When you run OpenVPN on 443 on WAN, which port runs the GUI?
If you move OpenVPN to LAN and use NAT forwarding from 443:WAN to 443:LAN does that help? I can imagine that traffic from WAN is blocked into LAN, because that's what you want. ;)
-
OPNsense GUI runs on port 80 and i disabled https access.
if you see my previous post, i included my firewall rules. doesn't the automagicly created vpn rule take care of the wan-lan issue? or is it only to access the opnvpn service itself? if so, where do i create the extra rule?
-
No, it doesn't as it is a routing issue between LAN and the other internal subnet, only that it is on WAN. Even so, you are blocking private networks on WAN, that may be another thing to switch of and try (also further proof that VPN shouldn't terminate in WAN, spoofing happens and this private range block ought to stop it).
-
You can disable blocking under "Interfaces: WAN: Block private networks" (needs a filter apply)
-
"Interfaces: WAN: Block private networks" doesn't change anything, i can still only ping the OPNsense box.
-
Hmm, you'll probably have no trouble pinging 8.8.8.8 through the VPN? I still see a potential routing table issue with your VPN traffic trying to reach LAN being blackholed by the default route.
-
Under Topology, check that box, save the config and reconnect with your client.
Those push statements won't help much, you can probably remove them, but leave them for now for testing. I'm pretty sure that once you check the Topology it'll work. If you don't check this it creates an isolated /30 network that will only allow the client to see OPNsense and nothing else.
-
i can ping all WAN adresses, on the LAN interface only the OPNsense box (10.25.1.254).
my NAS, which is on 10.25.1.1 can still not be resolved.
the "topology" option didn't work either for me... :'(
-
Is the LAN by any chance set up as static IP? When you use the Ping tool in diagnostics, does it ping your internal IPs ok (from source address default, LAN, WAN)?
-
Yes, LAN is setup with a static IP, 10.25.1.254 with a subnet of 255.255.254.0 (/23).
Here are the PING results:
::Default::
PING 10.25.1.1 (10.25.1.1): 56 data bytes
64 bytes from 10.25.1.1: icmp_seq=0 ttl=64 time=0.405 ms
64 bytes from 10.25.1.1: icmp_seq=1 ttl=64 time=0.354 ms
64 bytes from 10.25.1.1: icmp_seq=2 ttl=64 time=0.544 ms
::WAN::
PING 10.25.1.1 (10.25.1.1) from 192.168.178.254: 56 data bytes
--- 10.25.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
::LAN::
PING 10.25.1.1 (10.25.1.1) from 10.25.1.254: 56 data bytes
64 bytes from 10.25.1.1: icmp_seq=0 ttl=64 time=0.419 ms
64 bytes from 10.25.1.1: icmp_seq=1 ttl=64 time=0.626 ms
64 bytes from 10.25.1.1: icmp_seq=2 ttl=64 time=0.397 ms
::DMZ::
PING 10.25.1.1 (10.25.1.1) from 10.42.1.254: 56 data bytes
64 bytes from 10.25.1.1: icmp_seq=0 ttl=64 time=0.448 ms
64 bytes from 10.25.1.1: icmp_seq=1 ttl=64 time=0.373 ms
64 bytes from 10.25.1.1: icmp_seq=2 ttl=64 time=0.309 ms
::OpenVPN server::
PING 10.25.1.1 (10.25.1.1) from 10.255.240.1: 56 data bytes
64 bytes from 10.25.1.1: icmp_seq=0 ttl=64 time=0.498 ms
64 bytes from 10.25.1.1: icmp_seq=1 ttl=64 time=0.439 ms
64 bytes from 10.25.1.1: icmp_seq=2 ttl=64 time=0.312 ms
-
Funny. I think the route is not being generated by OPNsense due to the static interface configuration.
Does the following help when issued manually as a root user on the box?
route add -net 10.25.1.254/23 10.25.1.254
-
root@firewall:~ # route add -net 10.25.1.254/23 10.25.1.254
route: writing to routing socket: File exists
add net 10.25.1.254: gateway 10.25.1.254 fib 0: route already in table
-
Now on to the firewall log, interface WAN destination your NAS, protocol ICMP. Find out why those pings are being blocked. It can only be the firewall then.
-
I have set my log to 5000 lines but there is no mention of 10.25.1.1 anywhere...??
maybe my setup is trying to keep me at home and doesn't like it when i leave or something??
Does it help if i create and vpn account for you (franco)? keeping out an annoying middle-man (me) :P, maybe i keep overlooking things? Just an thought.
-
This is from the OpenVPN log:
gateway openvpn[92190]: martin/82.73.xxx.xxx:61968 SENT CONTROL [martin]: 'PUSH_REPLY,route 10.25.0.0 255.255.254.0,route 10.42.0.0 255.255.254.0,dhcp-option DOMAIN home.groveld.com,dhcp-option DNS 10.25.1.254,dhcp-option DNS 8.8.8.8,register-dns,route-gateway 10.255.240.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.255.240.2 255.255.255.240' (status=1)
-
Did you try the filter? No packages dropped? Doesn't matter how many entries as long as you filter for the right connection parameters.
Did you turn off the log policy for drop by any change?
Can take a look on Monday if you have time. Drop me a PM. :)
-
This problem is now solved(ish)!
Franco has helped me killing this problem, in the end the problem solved itself??!
Yea... we broke the vpn settings, after we reversed the mistake, the normal setup seemed to work fine.
so in the end NOTHING was changed at all, but everything works now! ;D
The only thing worth mentioning is that IF you change anything openvpn related like add/remove/edit a firewall rule regarding the openvpn server (port 1194, or in my case 443) the openvpn service needs to be stopped and started manually, restart alone doesn't seen to work in this case, dunno why... ???
Thanks to Dominian for mentioning the "Topology" option!
Also for this specific use, where i wanted to access my lan network, i needed to terminate the vpn to my lan interface, this is done by changing the openvpn server option "Interface" from "WAN" to "LAN" and add a matching NAT rule to the LAN ip address, in my case 10.25.1.254 (now restart openvpn server 8)).
Franco is still looking into this episode of the x-files and maybe this mistery will be solved once and for all... tune in next time to find out! :)
In the meanwhile, somewhere out there, a case of beer is finding it's way to you franco!