Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange routing issue site-site with openvpn (works fine in ipsec though).

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 490 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      diablo266
      last edited by

      I have a site-site VPN between the following subnets:

      A: 192.168.1.0/24
      B: 192.168.2.0/24

      Long story short: Using either openvpn or ipsec i'm able to ping every machine on either side of the vpn tunnel just fine, however I can only ping 192.168.2.3 from 192.168.1.0/24 but I cannot access any of its services (ssh/smaba etc) over openvpn. Everything works fine over ipsec. This problem only affects this one host, 192.168.2.3. Every other device is completely accessible via openvpn (in this case everything else is a VM hosted on proxmox host 192.168.2.3).

      I have no firewall rules blocking access to 192.168.2.3, I only have an allow all ipv4 rule on both sides for now.

      Details:

      192.168.2.3 is a proxmox host, pfsense is virtualized on this host with access to the vmbr0 (WAN) and vmbr1 (internal vm LAN) interfaces.

      ifconfig from 192.168.2.3:

      auto lo
      iface lo inet loopback
      
      iface eth0 inet manual
      
      auto vmbr0
      iface vmbr0 inet static
              address  187.122.44.197
              netmask  255.255.255.240
              gateway  187.122.44.193
              bridge_ports eth0
              bridge_stp off
              bridge_fd 0
      
      auto vmbr1
      iface vmbr1 inet static
              address  192.168.2.3
              netmask  255.255.255.0
              bridge_ports none
              bridge_stp off
              bridge_fd 0
              post-up ip route add 192.168.2.0/24 dev vmbr1 src 192.168.2.3 table rt2
              post-up ip route add default via 192.168.2.1 dev vmbr1 table rt2
              post-up ip rule add from 192.168.2.3/32 table rt2
              post-up ip rule add to 192.168.2.3/32 table rt2
      

      Without the additional route rules for the vmbr1 interface none of the VM's hosted on 192.168.2.3 were able to access services on 192.168.2.3 (ping worked though). At first I suspected this may have something to do with my problem, but if it does how come ipsec is unaffected?

      traceroute from 192.168.2.3 to 192.168.1.1:

      traceroute 192.168.1.1
      traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
       1  187.122.44.194 (198.241.44.194)  0.770 ms  0.824 ms  0.913 ms
      

      It doesn't seem to be taking the correct route, and I figure I need another static route back to pfsense at 192.168.2.1 but if I do, again, why does it work fine in ipsec without one? Unfortunately i'm out of my depth, i'm not sure how to add an additional default route, if it's even needed. Thanks for any help with my crazy problems!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.