again: make 100% sure gateway information is correct on clients and: check arp cache if client is seen after your try/ping
so we can make sure the problem is only in your box(es) rgds stephan 2012/12/20 Cristian Del Carlo <[email protected]> > Another information. > > If from a client in lan i do: > # ping 192.168.8.10 ( a client in the other network) > > And in pfsense (client openvpn): > tcpdump -i ovpnc2 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 bytes > 0 packets captured > 0 packets received by filter > 0 packets dropped by kernel > > I can't see any packet. It Is like the packets is not routed under the > tunnel. > But i don't know why and how fix the problem. > > If i use the command: > tcpdump -i pflog0 icmp > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 > bytes > 0 packets captured > > I can't see any packets blocked by the firewall. > > Thanks for your help. > > 2012/12/20 Cristian Del Carlo <[email protected]>: > > Hi try this configuration but i hace the same problem i am very confused. > > > > This is my network: > > > > lan1 192.168.9.0 <---> pfsense1 (client openvpn) <--> pfsense2 > > (server openvpn) <--> lan 2 192.168.8.0 > > > > This are now with certificates my configuration files: > > > > Pfsense server: > > > > /var/etc/openvpn/server1.conf > > > > dev ovpns1 > > dev-type tun > > dev-node /dev/tun1 > > writepid /var/run/openvpn_server1.pid > > #user nobody > > #group nobody > > script-security 3 > > daemon > > keepalive 10 60 > > ping-timer-rem > > persist-tun > > persist-key > > proto udp > > cipher AES-128-CBC > > up /usr/local/sbin/ovpn-linkup > > down /usr/local/sbin/ovpn-linkdown > > local X.X.X.X > > tls-server > > ifconfig 10.0.8.1 10.0.8.2 > > tls-verify /var/etc/openvpn/server1.tls-verify.php > > lport 1195 > > management /var/etc/openvpn/server1.sock unix > > ca /var/etc/openvpn/server1.ca > > cert /var/etc/openvpn/server1.cert > > key /var/etc/openvpn/server1.key > > dh /etc/dh-parameters.1024 > > comp-lzo > > route 192.168.9.0 255.255.255.0 > > push "route 192.168.8.0 255.255.255.0" > > > > /var/etc/openvpn-csc/fw-target > > > > iroute 192.168.9.0 255.255.255.0 > > > > Pfsense client: > > > > /var/etc/openvpn/client2.conf > > > > dev ovpnc2 > > dev-type tun > > dev-node /dev/tun2 > > writepid /var/run/openvpn_client2.pid > > #user nobody > > #group nobody > > script-security 3 > > daemon > > keepalive 10 60 > > ping-timer-rem > > persist-tun > > persist-key > > proto udp > > cipher AES-128-CBC > > up /usr/local/sbin/ovpn-linkup > > down /usr/local/sbin/ovpn-linkdown > > local X.X:X.X > > tls-client > > client > > lport 0 > > management /var/etc/openvpn/client2.sock unix > > remote X.X.X.X 1195 > > ifconfig 10.0.8.2 10.0.8.1 > > route 192.168.8.0 255.255.255.0 > > ca /var/etc/openvpn/client2.ca > > cert /var/etc/openvpn/client2.cert > > key /var/etc/openvpn/client2.key > > comp-lzo > > > > Thanks for your help. > > > > > > 2012/12/19 [email protected] <[email protected]>: > >> Ok, then no firewall rules forcing gateway, so let's try something else. > >> > >> Did you configure iroute ? > >> http://openvpn.net/index.php/open-source/documentation/howto.html#scope > >> Read : Including multiple machines on the client side when using a > >> routed VPN > >> > >> It might work :-p > >> > >> > >> Le Wed, 19 Dec 2012 15:19:25 +0100, > >> Cristian Del Carlo <[email protected]> a écrit : > >> > >>> Hi, > >>> > >>> Thanks for your help. > >>> > >>> Even in LAN i have : > >>> My firewall rules are in both pfsense: > >>> Action: Pass > >>> Interface : LAN > >>> Protocol: Any > >>> Source: Any > >>> Destionation: Any > >>> > >>> If i ping the tunnel from a client seem ok: > >>> > >>> ping 10.0.8.1 --> Ok > >>> ping 10.8.8.2 --> OK > >>> ping 192.168.8.X --> 100% packet loss > >>> > >>> Thanks. > >>> > >>> 2012/12/19 WolfSec-Support <[email protected]>: > >>> > may there are any fw rules there in LAN interface with similar > >>> > IP's/networks ? > >>> > some used this under 1.2.x and after upgrading to 2.x this caused > >>> > issues. > >>> > > >>> > onto routing: > >>> > > >>> > looks good > >>> > > >>> > here a similar setup of mine / 1 side: > >>> > > >>> > 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 > >>> > 192.168.253.14 link#13 UHS 0 0 16384 lo0 > >>> > 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500 > >>> > ovpnc1 > >>> > 192.168.242.0/24 link#1 U 0 1191195015 1500 > >>> > vr0 > >>> > > >>> > rgds > >>> > stephan > >>> > > >>> > > >>> > > >>> > > >>> > 2012/12/19 Cristian Del Carlo <[email protected]> > >>> >> > >>> >> Hi, > >>> >> > >>> >> thanks for your help. > >>> >> > >>> >> My firewall rules are in both pfsense: > >>> >> Action: Pass > >>> >> Interface : Openvpn > >>> >> Protocol: Any > >>> >> Source: Any > >>> >> Destionation: Any > >>> >> > >>> >> This are my routing from firewall ( without public ip ): > >>> >> > >>> >> pfsense 1 - client: > >>> >> 10.0.8.1 link#10 UH 0 15 ovpnc2 > >>> >> 10.0.8.2 link#10 UHS 0 0 lo0 > >>> >> 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 > >>> >> 192.168.9.0/24 link#2 U 0 37598040 em1 > >>> >> > >>> >> pfsense 2 - server: > >>> >> 10.0.8.1 link#9 UHS 0 0 lo0 > >>> >> 10.0.8.2 link#9 UH 0 72 ovpns1 > >>> >> 192.168.8.0/24 link#2 U 0 229122 em1 > >>> >> 192.168.8.1 link#2 UHS 0 0 lo0 > >>> >> 192.168.9.0/24 10.0.8.2 UGS 0 1 ovpns1 > >>> >> > >>> >> Could be a routing problem? > >>> >> > >>> >> > >>> >> 2012/12/19 WolfSec-Support <[email protected]>: > >>> >> > Hi, > >>> >> > > >>> >> > do you have special rules in VPN tunnel ? > >>> >> > make sure to open OpenVPN ruleset as necessary > >>> >> > > >>> >> > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels > >>> >> > > >>> >> > but per default normally tunnel is open any<>any > >>> >> > > >>> >> > br > >>> >> > stephan > >>> >> > > >>> >> > > >>> >> > _______________________________________________ > >>> >> > List mailing list > >>> >> > [email protected] > >>> >> > http://lists.pfsense.org/mailman/listinfo/list > >>> >> > > >>> >> > >>> >> > >>> >> > >>> >> -- > >>> >> -------------------------------------------------------- > >>> >> > >>> >> Cristian Del Carlo > >>> >> > >>> >> Il testo e gli eventuali documenti trasmessi contengono > >>> >> informazioni riservate al destinatario indicato. La seguente > >>> >> e-mail è confidenziale e la sua riservatezza è tutelata legalmente > >>> >> dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della > >>> >> privacy). La lettura, copia o altro uso non autorizzato o > >>> >> qualsiasi altra azione derivante dalla conoscenza di queste > >>> >> informazioni sono rigorosamente vietate. Qualora abbiate ricevuto > >>> >> questo documento per errore siete cortesemente pregati di darne > >>> >> immediata comunicazione al mittente e di provvedere, > >>> >> immediatamente, alla sua distruzione. > >>> >> > >>> >> -------------------------------------------------------- > >>> >> _______________________________________________ > >>> >> List mailing list > >>> >> [email protected] > >>> >> http://lists.pfsense.org/mailman/listinfo/list > >>> > > >>> > > >>> > > >>> > > >>> > -- > >>> > > >>> > Stephan Wolf > >>> > > >>> > WolfSec > >>> > Rairing 65 > >>> > CH-8108 Dällikon > >>> > > >>> > +41 43 536 1191 > >>> > +41 76 566 8222 > >>> > http://www.wolfsec.ch > >>> > _______________________________________________ > >>> > List mailing list > >>> > [email protected] > >>> > http://lists.pfsense.org/mailman/listinfo/list > >>> > > >>> > >>> > >>> > >> _______________________________________________ > >> List mailing list > >> [email protected] > >> http://lists.pfsense.org/mailman/listinfo/list > > > > > > > > -- > > -------------------------------------------------------- > > > > Cristian Del Carlo > > > > Il testo e gli eventuali documenti trasmessi contengono informazioni > > riservate al destinatario indicato. La seguente e-mail è confidenziale e > > la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 > > del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o > > altro uso non autorizzato o qualsiasi altra azione derivante dalla > > conoscenza di queste informazioni sono rigorosamente vietate. Qualora > > abbiate ricevuto questo documento per errore siete cortesemente pregati > > di darne immediata comunicazione al mittente e di provvedere, > > immediatamente, alla sua distruzione. > > > > -------------------------------------------------------- > > > > -- > -------------------------------------------------------- > > Cristian Del Carlo > > Il testo e gli eventuali documenti trasmessi contengono informazioni > riservate al destinatario indicato. La seguente e-mail è confidenziale e > la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 > del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o > altro uso non autorizzato o qualsiasi altra azione derivante dalla > conoscenza di queste informazioni sono rigorosamente vietate. Qualora > abbiate ricevuto questo documento per errore siete cortesemente pregati > di darne immediata comunicazione al mittente e di provvedere, > immediatamente, alla sua distruzione. > > -------------------------------------------------------- > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > -- Stephan Wolf WolfSec Rairing 65 CH-8108 Dällikon +41 43 536 1191 +41 76 566 8222 http://www.wolfsec.ch
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
