OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: With Wings on April 28, 2017, 05:42:24 am

Title: Can only ping primary firewall after VPN, ovpns1 unassigned?
Post by: With Wings on April 28, 2017, 05:42:24 am
I have two firewalls setup with CARP / HA. xml rpc sync is failing after upgrading, which may be a separate issue.

I setup the OpenVPN server with certificates, and user / password. I was able to connect the VPN, and ping the main firewall only (on any interface). I tried reconfiguring various settings, but nothing worked. I ripped out the firewall rules, and server vpn, and just used the wizard, but still have the same exact problem:

I can ping the CARP, LAN, and LAN (CARP VIP) addresses from the VPN, as well as the 'default gateway' that is issued to my client without issue. Before I updated to 17.1.5, and broke the xml rpc sync I was still connected to the VPN via the fwback firewall, while the fwmain firewall was rebooting, so the WAN CARP VIP was working fine as well.

I am using 169.254.x.x for the actual WAN addresses of both firewalls, with no issues so far, so these interfaces are not pingable from the VPN. These interface addresses are all pingable:

192.168.1.254 (LAN CARP VIP)
192.168.1.251 (LAN fwmain)
172.16.1.251 (CARP fwmain)
192.168.10.1 (gateway address, for some reason the gateway address changes it has been .1 through .5)

I could never ping any other address on the LAN, including the backup firewall 192.168.1.250 (fwback) over the VPN.

None of the settings seem to affect this problem (including 'Topology'); I have spent a few hours testing permutations.

I have IDS enabled, but not IPS.

The CARP interface is a broadcom gigabit chip. The other 4 interfaces are all Intel Gigabit Pro 1000. They are all configured the same, and in the same order.

I updated to 17.1.5 in the hopes that maybe it would fix something? It didn't affect the issue, but broke xml rpc sync (it auto submitted a bug report for this, twice, using the same email that I have registered for the forums:

"An Error occured while attempting XML RPC sync ... /xmlrpc.php parse error. not well formed"

I was thinking that the update broke something, but I don't know how to check.

I am stuck. I don't see any setting to tweak to allow access to the LAN over the VPN.

I am using Windows 8.1 Clients running over Vmware workstation (on a Windows 8 host). I have tried both 'Bridged', and 'NAT' for the Vmware settings, but they behave exactly the same way. I am using the current Viscosity client.

It doesn't seem that the firewall itself is releasing traffic.

The original 2 firewall rules as created by the Wizard had to be modified:
The UDP 1194 inbound rule had to be changed to 'any' instead of 'WAN' since it's using the WAN CARP VIP, and not the actual WAN address.

I added a LAN rule to allow traffic from 192.168.10.0/24 to test it.

The original rule under the 'OPENVPN' interface is still there. I noticed that under 'Interfaces / Assignments' there is a 'ovpns1' interface that isn't assigned to anything. I had also tried assigning this interface a static IP address on the tunnel subnet of 192.168.10.0, but that only prevented pinging the firewall itself as well. That was the point where I ripped everything out, and disabled, and then deleted that interface. After updating to 17.1.5 it seems to be working as it was before; I can still ping any (routable) interface on fwmain, but nothing else.

Any help is greatly appreciated.
Title: Re: Can only ping primary firewall after VPN, ovpns1 unassigned?
Post by: With Wings on May 02, 2017, 03:37:43 am
I missed that you have to stop, and restart the openvpn service.

The setting that fixed it is the 'Topology' check box, toward the bottom.