Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 29 March 2024, 04:14:39 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14247 Posts in 4376 Topics by 6490 Members
Latest Member: maquino
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  Open VPN clients cannot ping LAN
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Open VPN clients cannot ping LAN  (Read 53490 times)
buxton
Jr. Member
*
Offline Offline

Posts: 1


« on: Wednesday 19 August 2009, 10:46:54 pm »

I am having trouble with my Open VPN setup. I am able to connect and ping the Endian firewall and access its webpage and from there I can ping my client laptop. Unfortunately I can not access any other resources in my LAN and no computers in my LAN  can ping my client laptop.  This is a road warrior setup. I am using the latest download of Endian firewall community. I belive this may be a routing issue but i am unsure what to do next.



Client 1 (..2.10)  - - - - - - - - - endian firewall (..2.6)



– LAN (..2.xx)
Logged
StephanSch
Full Member
***
Offline Offline

Gender: Male
Posts: 57


« Reply #1 on: Friday 21 August 2009, 06:56:51 am »

the problem is that your nets are on the same subnet. you should try to change one net or to change from routed to bridged
Logged
marvosa
Jr. Member
*
Offline Offline

Posts: 5


« Reply #2 on: Friday 28 August 2009, 12:00:15 am »

There are several things it could be, but I would start here:

In the VPN section on the "Advanced" tab, make sure you have this checked "Don't block traffic between clients".

If this doesn't work, post your user and server configs so we can troubleshoot further. 

A  things:

1.  Disable windows firewall or be sure to allow ICMP through.
2.  Make sure your OpenVPN IP scope does not overlap your DHCP IP range.
3.  Do you have any Outgoing firewall rules that may be blocking ICMP?
4.  Post client info (IP, subnet, default gateway, dns) and routing table after your clients connect.
Logged
endiant
Jr. Member
*
Offline Offline

Posts: 4


« Reply #3 on: Tuesday 03 November 2009, 08:37:42 am »

add a source NAT rule to allow "ALL OpenVPN users to Green" and all traffic should work.
Logged
ad.aimm
Full Member
***
Offline Offline

Posts: 36


« Reply #4 on: Wednesday 04 November 2009, 12:13:28 am »

hi,

in my part, sometimes ping works or doesn't work with openvpn (without nat and vpn firewall rules). but if i use ipsec i have always no trouble.

regards

ad
Logged
magu
Full Member
***
Offline Offline

Posts: 10


« Reply #5 on: Saturday 12 December 2009, 09:59:32 am »

Been banging my  against this one for a while.

Finally figured out: had disable the intrusion prevention system because it was blocking DNS packets. Even though ALL of the VPN firewall rules do NOT have IPS enabled.
Logged
-tim-
Jr. Member
*
Offline Offline

Posts: 1


« Reply #6 on: Wednesday 30 December 2009, 03:59:01 am »

I am having trouble with my Open VPN setup. I am able to connect and ping the Endian firewall and access its webpage and from there I can ping my client laptop. Unfortunately I can not access any other resources in my LAN and no computers in my LAN  can ping my client laptop.  This is a road warrior setup. I am using the latest download of Endian firewall community. I belive this may be a

did you find a solution? i have exactly the same issue. efw and even other networks than green work fine, only the bridged green zone is unreachable. i can find some equivalent postings on the net but no solution yet  Huh
Logged
mogyiman
Jr. Member
*
Offline Offline

Posts: 6


« Reply #7 on: Thursday 07 January 2010, 10:16:39 am »

Took me around 3 hours to figure out rules..  on EFW 2.3

- Disable firewall on client machine's TAP adapter
- Make sure the client's original and the server's network IP addresses are not overlapping
- Push the network ip address range explicitly from the server
- Add the following SOURCE NAT RULE
    - Source : ALL (OpenVPN User)  ---> Dest: GREEN  --> service: <ANY>  ---> NAT TO : GREEN
- Add the following to VPN FIREWALL RULE
    - Source : ALL (OpenVPN user)  ---> Dest: GREEN + OPENVPN  --> service: <ANY>     ALLOW

Client config is:

client
float
dev tap
proto udp
pull
remote [SERVER IP] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "SERVER'S CA.pem"
auth-user-pass
comp-lzo
verb 3
Logged
jianjou
Jr. Member
*
Offline Offline

Posts: 6


« Reply #8 on: Thursday 07 January 2010, 01:45:26 pm »

I have the same problem, and I try to use the method that you provide. But I still can not ping or access any hosts.
Any other ideas?
Logged
mogyiman
Jr. Member
*
Offline Offline

Posts: 6


« Reply #9 on: Thursday 07 January 2010, 08:52:29 pm »

Well, I noticed that Vista using the same configuration that my XP has is still unable to apply the new routing table entries. connect to the remote network.
To be more specific I used the latest Openvpn package (2.1.1) from openvpn site, because the GUI is already included into the newer packages.
It has everything to install right on a Vista or Win7 client. My routing table shows the new routes, but still no ping, no nothing to remote network.
The only address to reach is 0.223 which is the GREEN IP of the vpn gateway.
I'm trying to modify automatic metric calculation to manual and give higher priority to TAP adapter's routes.

Code:
172.20.0.0    255.255.255.0           On-link       172.20.0.82    286
172.20.0.0    255.255.255.0      172.20.0.223       172.20.0.82     30
172.20.0.82   255.255.255.255         On-link       172.20.0.82    286
172.20.0.255  255.255.255.255         On-link       172.20.0.82    286

So the above tables are failing, mostly because there are two gateways set for remote vpn network. On-link means default gw for the client machine.
I decided to manually get rid of everything and build-up a new table which is far less sophisticated, but works. I will not change server side configuration just because of this vista issue (=win 7 issue)
1, create a file named "profilename_up.bat" next to your ovpn configuration
2, add the following contents:
Code:
route delete "target_network_address"
route add "target_network_address" mask "target_network_mask" remote_ip_of_TAP IF NN
where NN is the TAP adapter's id as listed after route print command, I have (24):
Code:
Interface List
 24...00 ff bf e2 ed 95 ......TAP-Win32 Adapter V9
 11...00 0c f1 87 3a a5 ......Intel(R) PRO/100 VE Network Connection

That's it.
Logged
martec
Full Member
***
Offline Offline

Posts: 34


« Reply #10 on: Tuesday 20 April 2010, 07:06:55 pm »

Hi @ all,
--
i resume this post because i have the same problem, but when i try to change client ip in vpn (VPN --> Configuration Server --> Pool Dynamic IP start/end), and i restart openvpn server, i see old ip's. So i can't change the pool for vpn client...

Old value are the same of GREEN, and i read this is not right, so i want to change that...
Logged
jeliasson
Full Member
***
Offline Offline

Posts: 11


« Reply #11 on: Tuesday 10 May 2011, 06:21:07 am »

Hi,

I'm having the same problem and I tried to add a SNAT-rule, as mogyiman suggested, but no luck.
If I however remove the route to the OpenVPN-subnet, it works.
Logged
Alishba
Full Member
***
Offline Offline

Posts: 12


« Reply #12 on: Monday 16 May 2011, 08:44:54 pm »

Dashquid
fatlossprofessional.co.uk
fatlossprofessional
mobilehelper
securetrip
whichpetcover
google
abc
facebook
craigslist
Logged

lucianovs
Jr. Member
*
Offline Offline

Posts: 4


« Reply #13 on: Tuesday 28 June 2011, 06:15:52 am »

Hi Guys!!!

You just new create a firewall rule:

CLIENT2ENDIAN:
GO TO FIREWALL - VPN TRAFFIC (ENABLE)

CREATE A RULE LIKE:

SOURCE: OPENVPN: ANY
DESTINATION: ANY
POLICY: ALLOW


GW2GW:
CREATE A RULE LIKE:
SOURCE IP: ip/mask local
DESTINATION: ip/mask remote
POLICY: ALLOW


I think this can help!
=]
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.125 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com