Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange routing issue site-site with openvpn (works fine in ipsec though).

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 495 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      diablo266
      last edited by

      I have a site-site VPN between the following subnets:

      A: 192.168.1.0/24
      B: 192.168.2.0/24

      Long story short: Using either openvpn or ipsec i'm able to ping every machine on either side of the vpn tunnel just fine, however I can only ping 192.168.2.3 from 192.168.1.0/24 but I cannot access any of its services (ssh/smaba etc) over openvpn. Everything works fine over ipsec. This problem only affects this one host, 192.168.2.3. Every other device is completely accessible via openvpn (in this case everything else is a VM hosted on proxmox host 192.168.2.3).

      I have no firewall rules blocking access to 192.168.2.3, I only have an allow all ipv4 rule on both sides for now.

      Details:

      192.168.2.3 is a proxmox host, pfsense is virtualized on this host with access to the vmbr0 (WAN) and vmbr1 (internal vm LAN) interfaces.

      ifconfig from 192.168.2.3:

      auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address  187.122.44.197
        netmask  255.255.255.240
        gateway  187.122.44.193
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address  192.168.2.3
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up ip route add 192.168.2.0/24 dev vmbr1 src 192.168.2.3 table rt2
        post-up ip route add default via 192.168.2.1 dev vmbr1 table rt2
        post-up ip rule add from 192.168.2.3/32 table rt2
        post-up ip rule add to 192.168.2.3/32 table rt2

      Without the additional route rules for the vmbr1 interface none of the VM's hosted on 192.168.2.3 were able to access services on 192.168.2.3 (ping worked though). At first I suspected this may have something to do with my problem, but if it does how come ipsec is unaffected?

      traceroute from 192.168.2.3 to 192.168.1.1:

      traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
 1  187.122.44.194 (198.241.44.194)  0.770 ms  0.824 ms  0.913 ms

      It doesn't seem to be taking the correct route, and I figure I need another static route back to pfsense at 192.168.2.1 but if I do, again, why does it work fine in ipsec without one? Unfortunately i'm out of my depth, i'm not sure how to add an additional default route, if it's even needed. Thanks for any help with my crazy problems!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.