Can not access hosts outside of DHCP range through tunnel network
-
Heyho,
I setup an OpenVPN server through the wizard which works great:Local Network: 192.168.0.0/16
DHCP Server Range: 192.168.2.2 - 192.168.255.254
Firewall/DHCP Server IP: 192.168.1.1Tunnel Network: 192.170.0.0/24
Tunnel Interface: ovpns1I can ping hosts from the ovpns1, which got an IP from the DHCP Server like 192.168.240.17. But I can not ping host which have a static ip configured like 192.168.1.10. (The hosts do not use the DHCP Server they use a static IPv4 config)
So I think some routing is somehow wrong. But how does the DHCP Server modify routes?192.168.240.17
traceroute to 192.168.240.17 (192.168.240.17), 30 hops max, 60 byte packets 1 192.170.0.1 (192.170.0.1) 145.834 ms 145.819 ms 145.812 ms 2 192.168.240.17 (192.168.240.17) 145.810 ms 145.808 ms 145.804 ms
192.168.1.10
traceroute to 192.168.1.10 (192.168.1.10), 30 hops max, 60 byte packets 1 192.170.0.1 (192.170.0.1) 40.199 ms 40.178 ms 40.177 ms 2 * * * 3 * * * 4 * * *
Firewall shouldn't be a problem because I can ping the DHCP hosts. I have no blocking rules between LAN and OpenVPN and the default rules from the wizard.
Any clues why I can not route to 192.168.1.10?
-
"Local Network: 192.168.0.0/16"
Why?? You sure your static clients are using that mask? There is ZERO reason to use such a large mask.. Such a mask is used for summary routing, or firewall rules, etc. Not on an interface for a local network with a few hosts in it..
You sure your static setup boxes are pointing to the correct gateway and not something different than pfsense?
-
We're having quite many clients in our network. So there are possibly more than 255 clients. So we just decied to use a 255.255.0.0 subnet. All our static clients use that mask. They also have the correct gateway.
So the issue started when I changed the DHCP range from 192.168.0.1 - 192.168.255.254 to 192.168.2.2 - 192.168.255.254.
-
Much like johnpoz's sentiments, Why a /16? There is no reason to use a /16 on a LAN… do you really have 60,000+ hosts? I'd bet both my house and yours that you don't even come close to having 1/4th of that many hosts... and even if you did, you wouldn't put them all on the same broadcast domain. If you have more than 254 hosts then either go to a /23 or start subnetting your traffic. However, a /16 will still work as long as everything is configured correctly, so a bad design is not your main issue.
Any clues why I can not route to 192.168.1.10?
There are several things to verify, but we'll start with the basics… at a basic level, if the device on 192.168.1.10 has the correct mask (255.255.0.0) and gateway (PFsense), the packets should be getting to where they need to go. Although, I would encourage you not to assume anything and double check the mask and gateway of everything that's been statically configured. After that, post your server1.conf, so we can look at your config.
Another item that may possibly be contributing to your issue is your tunnel network (defined in your OP as 192.170.0.0/24). Are you aware that 192.170.0.0/24 is a range of public IP's? I would change that for sure. Now since you've used up the entire 192.168.0.0/16 for your LAN, you'll have to change your tunnel network to something in the 10.0.0.0/8 or the 172.16.0.0/12 range. Just for clarity though, do not use either of those networks verbatim as your tunnel network... lol!! Assess how many VPN users you have and then plan accordingly. I.e. if you have less than 254 users then pick a /24 range, if you have more than 254 users but less than 508 then pick a /23 range, etc, etc.
-
Yeah, that's true :P way to big that subnet :/
k here is the server1.conf:
https://gist.github.com/maxammann/be60a4f78863db624361da7719f25858The devices use the correct mask.
-
After reviewing your config, we find that not only is your LAN subnet mask too wide and your tunnel network is on public IP's, but your PFsense is also double NAT'd behind a router (192.168.1.1) that has an address within your LAN subnet. What is the mask of the firewall/router configured with 192.168.1.1? Whatever that mask is, I'm sure that's exactly what you can't connect to over the VPN.
You have a network design problem that needs to be addressed in order to fix your VPN issue. All of your networks need to be unique and cannot overlap. Right now your WAN interface is connected to an upstream router that has an address within your LAN subnet, which means your WAN interface also has an address within your LAN, which is not going to work.
In short, you will need to adjust your design in order to fix your access issues over the VPN. Although, quite honestly, the design needs to be adjusted regardless of your VPN issue. If you want to post a network map as well as how many users you have (or plan to have), we can assist with that.
-
Tunnel network is no 10.8.0.0/24 which should be fine, right?
It should be single NAT'd. I only have one NAT rule configured which translates incoming IPs from the WAN to 192.168.1.1. The static IP of the LAN interface.
The WAN port is connected to a fritz.box. I noticed that it has a way to big subnet aswell: 10.0.0.0/16
So the WAN port get's it's ip from the fritz.box's DHCP.
The LAN interface is configured with as static 192.168.1.1/16 IP?!? Shouldn't this be 192.168.1.1/32?But I don't see any overlapping networks :/
I attached our network (routers are switches in this image).