[pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
hi all, i wrote about this issue in late december, and now having downloaded the latest snapshot, it still persists: i have an issue with 2 pfsense machines each running 2.0 beta 5: all of the x509 stuff is fine, and i have a two-way tunnel between two distant subnets [client=172.16.32.0/24 - server=172.16.8.0/24]. this problem that i'm facing is the client side -- it insists on using the ip address from the address pool rather than the than the subnet ip. when a server side machine pings a client side machine it uses its address of 172.16.8.1 as expected. when a client side machine (172.16.32.1) pings a server side machine, it uses the 10.8.0.2 address. if i use a 1.23 client (ceteris paribus), all works as expected. i've just no clue -- i've tried everything. anyone have some hints? thanks m - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
did you specified remote client subnet in the client CCD ? (with iroute?) On 11-01-20 01:05 PM, mayak-cq wrote: hi all, i wrote about this issue in late december, and now having downloaded the latest snapshot, it still persists: i have an issue with 2 pfsense machines each running 2.0 beta 5: all of the x509 stuff is fine, and i have a two-way tunnel between two distant subnets [client=172.16.32.0/24- server=172.16.8.0/24]. this problem that i'm facing is the client side -- it insists on using the ip address from the address pool rather than the than the subnet ip. when a server side machine pings a client side machine it uses its address of 172.16.8.1 as expected. when a client side machine (172.16.32.1) pings a server side machine, it uses the 10.8.0.2 address. if i use a 1.23 client (ceteris paribus), all works as expected. i've just no clue -- i've tried everything. anyone have some hints? thanks m - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- *Francois-Alexandre St-Onge Aubut* *IDS* micronet Téléphonie IP pour les affaires. Téléphone : (418) 725-4425 #205 Sans frais : 1 888 581 VoIP (8647) Télécopieur : (418) 725-2568 Courriel : fst-o...@idsmicronet.com Visitez notre site Web : www.idsmicronet.com http://www.idsmicronet.com Suivez-nous sur Twitter http://www.twitter.com/idsmicronet !
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, Jan 20, 2011 at 2:51 PM, Chris Buechler cbuech...@gmail.com wrote: On Thu, Jan 20, 2011 at 1:05 PM, mayak-cq ma...@australsat.com wrote: hi all, i wrote about this issue in late december, and now having downloaded the latest snapshot, it still persists: i have an issue with 2 pfsense machines each running 2.0 beta 5: all of the x509 stuff is fine, and i have a two-way tunnel between two distant subnets [client=172.16.32.0/24 - server=172.16.8.0/24]. this problem that i'm facing is the client side -- it insists on using the ip address from the address pool rather than the than the subnet ip. when a server side machine pings a client side machine it uses its address of 172.16.8.1 as expected. when a client side machine (172.16.32.1) pings a server side machine, it uses the 10.8.0.2 address. if i use a 1.23 client (ceteris paribus), all works as expected. i've just no clue -- i've tried everything. anyone have some hints? http://redmine.pfsense.org/issues/1216 you can work around with manual outbound NAT. Actually that may not be exactly right - I have my tun interfaces assigned where I'm seeing that. Is your tun interface assigned under Interfacesassign? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, Jan 20, 2011 at 1:05 PM, mayak-cq ma...@australsat.com wrote: hi all, i wrote about this issue in late december, and now having downloaded the latest snapshot, it still persists: i have an issue with 2 pfsense machines each running 2.0 beta 5: all of the x509 stuff is fine, and i have a two-way tunnel between two distant subnets [client=172.16.32.0/24 - server=172.16.8.0/24]. this problem that i'm facing is the client side -- it insists on using the ip address from the address pool rather than the than the subnet ip. when a server side machine pings a client side machine it uses its address of 172.16.8.1 as expected. when a client side machine (172.16.32.1) pings a server side machine, it uses the 10.8.0.2 address. if i use a 1.23 client (ceteris paribus), all works as expected. i've just no clue -- i've tried everything. anyone have some hints? http://redmine.pfsense.org/issues/1216 you can work around with manual outbound NAT. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, 2011-01-20 at 14:55 -0500, Chris Buechler wrote: On Thu, Jan 20, 2011 at 2:51 PM, Chris Buechler cbuech...@gmail.com wrote: On Thu, Jan 20, 2011 at 1:05 PM, mayak-cq ma...@australsat.com wrote: hi all, snip Actually that may not be exactly right - I have my tun interfaces assigned where I'm seeing that. Is your tun interface assigned under Interfacesassign? Good Day My Lord, Yes -- openvpn has an interface declared on the server side :-) Cheers M
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, Jan 20, 2011 at 3:07 PM, mayak-cq ma...@australsat.com wrote: On Thu, 2011-01-20 at 14:55 -0500, Chris Buechler wrote: On Thu, Jan 20, 2011 at 2:51 PM, Chris Buechler cbuech...@gmail.com wrote: On Thu, Jan 20, 2011 at 1:05 PM, mayak-cq ma...@australsat.com wrote: hi all, snip Actually that may not be exactly right - I have my tun interfaces assigned where I'm seeing that. Is your tun interface assigned under Interfacesassign? Good Day My Lord, Yes -- openvpn has an interface declared on the server side :-) What about the client side? Server side doesn't matter. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, 2011-01-20 at 15:13 -0500, Chris Buechler wrote: On Thu, Jan 20, 2011 at 3:07 PM, mayak-cq ma...@australsat.com wrote: On Thu, 2011-01-20 at 14:55 -0500, Chris Buechler wrote: On Thu, Jan 20, 2011 at 2:51 PM, Chris Buechler cbuech...@gmail.com wrote: On Thu, Jan 20, 2011 at 1:05 PM, mayak-cq ma...@australsat.com wrote: hi all, snip Actually that may not be exactly right - I have my tun interfaces assigned where I'm seeing that. Is your tun interface assigned under Interfacesassign? Good Day My Lord, Yes -- openvpn has an interface declared on the server side :-) What about the client side? Server side doesn't matter. Thanks Again My Lord! So -- the client machine is a vanilla clone of a 1.23 install -- only custom arguments on client are: ns-cert-type server; verb 4 Which (in theory) shouldn't cause the server to NAT the pool address ... Cheers M - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, Jan 20, 2011 at 3:42 PM, mayak-cq ma...@australsat.com wrote: On Thu, 2011-01-20 at 15:13 -0500, Chris Buechler wrote: On Thu, Jan 20, 2011 at 3:07 PM, mayak-cq ma...@australsat.com wrote: On Thu, 2011-01-20 at 14:55 -0500, Chris Buechler wrote: On Thu, Jan 20, 2011 at 2:51 PM, Chris Buechler cbuech...@gmail.com wrote: On Thu, Jan 20, 2011 at 1:05 PM, mayak-cq ma...@australsat.com wrote: hi all, snip Actually that may not be exactly right - I have my tun interfaces assigned where I'm seeing that. Is your tun interface assigned under Interfacesassign? Good Day My Lord, Yes -- openvpn has an interface declared on the server side :-) What about the client side? Server side doesn't matter. Thanks Again My Lord! So -- the client machine is a vanilla clone of a 1.23 install -- only custom arguments on client are: ns-cert-type server; verb 4 Which (in theory) shouldn't cause the server to NAT the pool address ... You're not answering my question, is the tun interface assigned under Interfacesassign on the client? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, 2011-01-20 at 15:45 -0500, Chris Buechler wrote: snip You're not answering my question, is the tun interface assigned under Interfacesassign on the client? ooops -- sorry -- yes it is. thanks m - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, 2011-01-20 at 15:45 -0500, Chris Buechler wrote: On Thu, Jan 20, 2011 at 3:42 PM, mayak-cq ma...@australsat.com wrote: On Thu, 2011-01-20 at 15:13 -0500, Chris Buechler wrote: On Thu, Jan 20, 2011 at 3:07 PM, mayak-cq ma...@australsat.com wrote: On Thu, 2011-01-20 at 14:55 -0500, Chris Buechler wrote: On Thu, Jan 20, 2011 at 2:51 PM, Chris Buechler cbuech...@gmail.com wrote: On Thu, Jan 20, 2011 at 1:05 PM, mayak-cq ma...@australsat.com wrote: hi all, snip Actually that may not be exactly right - I have my tun interfaces assigned where I'm seeing that. Is your tun interface assigned under Interfacesassign? Good Day My Lord, Yes -- openvpn has an interface declared on the server side :-) What about the client side? Server side doesn't matter. Thanks Again My Lord! So -- the client machine is a vanilla clone of a 1.23 install -- only custom arguments on client are: ns-cert-type server; verb 4 Which (in theory) shouldn't cause the server to NAT the pool address ... You're not answering my question, is the tun interface assigned under Interfacesassign on the client? My Lord, You're a genius! Nuking the the interface declaration solves it!! Intermediate solution yes, but a solution nonetheless! Thanks M - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, Jan 20, 2011 at 3:54 PM, mayak-cq ma...@australsat.com wrote: ooops -- sorry -- yes it is. Thank you, I corrected the ticket to the exact scenario. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, Jan 20, 2011 at 4:09 PM, mayak-cq ma...@australsat.com wrote: My Lord, You're a genius! Nuking the the interface declaration solves it!! Intermediate solution yes, but a solution nonetheless! Amen! Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
Thank you, I corrected the ticket to the exact scenario. Scott, From pfSense's pov, what happens in this exact scenario when you assign the tun device to an interface? I followed this thread closely as I have a similar issue plaguing me that I am unable to resolve as of yet... Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
merry Christmas everyone, i have an issue with 2 pfsense machines each running 2.0 beta 5: all of the x509 stuff is fine, and i have a two-way tunnel between two distant subnets [client=172.16.32.0/24 - server=172.16.8.0/24]. this problem that i'm facing is the client side -- it insists on using the ip address from the address pool rather than the than the subnet ip. when a server side machine pings a client side machine it uses its address of 172.16.8.1 as expected. when a client side machine (172.16.32.1) pings a server side machine, it uses the 10.8.0.2 address. i've just no clue -- i've tried everything. anyone have some hints? thanks m