Accessing office network from outside

LoZio

Hi,
I have my office network connected to the internet via a fiber cable MAN. I have pfSense with my internal network 192.168.0.x and outside interface on MAN class 10.x.y.z. that is NATted to the internet by my provider.
I also have a public server with pfSense on it (all 1.2). I created an Ovpn server on the public machine, so I can connect to it from everywhere getting a 192.168.199.x address.
In the office machine I configured an Ovpn client session that connects to the public pfSense. All the tunnels are up and happy.
Is there a way for me, when I'm connected to the pubilc pfSense from a remote place, to be routed to the office LAN 192.168.0.x?
Basically I have to reach my office, without intervention from people in it, from the Internet, having this second public pfSense.
Hope I'm clear!
Thanks

GruensFroeschli

This should be possible with the right pushes.
Take a look at the man pages on http://openvpn.net and search for the "push" command.

Also you might want to start a second instance of OpenVPN on your public Server.
One server with a PKI for you roadwarriors,
one shared key setup for the site to site to your pfSense in your office.

LoZio

@GruensFroeschli:

This should be possible with the right pushes.
Take a look at the man pages on http://openvpn.net and search for the "push" command.

Also you might want to start a second instance of OpenVPN on your public Server.
One server with a PKI for you roadwarriors,
one shared key setup for the site to site to your pfSense in your office.

Well, I pushed routes and also set them on the hosts to be contacted, and also tried to set them as static routes, but also using tcpdump on tun0 interface I cannot see any traffic flowing… It seems somewhat blackholed somewhere or filtered (but not logged) by pfSense.
In your opinion, which routes must pe pushed (I suppose the only "pusher" is the public one)?
Thanks

GruensFroeschli

Are you using a shared key setup between your two pf's?

i drew something small:

client
    | openVPN.client subnet
    /
pfSense.public
    /\          /
    |          |
    |          | openVPN.link subnet
    |          |
10.x          /
pfSense.office
0.x

pfSense.public:
PKI server:
You need to push to the clients the routes for the "openVPN link subnet" and the 0.x subnet.
SKI server:
You need a normal route (not push) for the 0.x subnet

pfSense.office:
SKI client:
you need a normal route (not push) for the "openVPN.client subnet"

LoZio

@GruensFroeschli:

Are you using a shared key setup between your two pf's?

This is the scheme of the solution.

The pfOffice is a PKI client of the pfPublic. Roadwarrior (RW) also is a PKI client. They have addresses that can ping directly, that is RW can ping pfOffice using 192.168.133.14.
On the RW I put a static route for 192.168.0.x via its ovpn gateway, that is 192.168.133.9.
If I ssh into pfPublic and do tcpdump on tun0, I can see packets coming in from RW destined to SERVER, so the route is in place and working.
Staying on pfOffice and tcpdumping on tun0, I see NO packets coming in for SERVER (I can't see any packets for lan hosts). SERVER has pfOffice as def gateway, so no need for routes on it.
I put routes for 192.168.0.x on pfPublic, setting the gateway to 192.168.133.1, 192.168.133.2, 192.168.133.13 and 192.168.133.14, and always had same results: i see no packets on the tun0 interface in the office. At the same time if I ping from RW the pfOffice ovpn address, I can sniff the packets and also RW gets responses.
It seems pfRemote has no clue about routing packets to the office, or it filters them somehow.
This is really a need for me, since I lost the opportunity to connect to my office with this fiber/natted connection.
Thanks for your patience

GruensFroeschli

If you have a single PKI server you need client specific commands.
Search the man-pages for the "iroute" command.

But as i said before.
Dont do it this way.
Separate your site-to-site and your roadwarriors.
The way you are doing it now is bad practice.

Different instances of servers for different tasks.

LoZio

@GruensFroeschli:

If you have a single PKI server you need client specific commands.
Search the man-pages for the "iroute" command.

But as i said before.
Dont do it this way.
Separate your site-to-site and your roadwarriors.
The way you are doing it now just bad practice.

Different instances of servers for different tasks.

Hi Gruens and thanks for your support.
I did like you told me and now I'm happily connected to my office.
If you think this can be useful, I'm going to write a step by step procedure with graphical scheme about this setup that can be a lot useful for people needing to access NATted locations.
Thanks again to all the pfSense team!

LoZio

Well, I actually wrote the howto  ;)
http://www.gorlani.com/docs/nattedoffice/pfSenseRW.htm
Hope it will help someone
Bye

GruensFroeschli

Very cool  ;D

You could send it in to be linked :)

@http://blog.pfsense.org/?p=183:

First a user from the forum who has replaced his Cisco PIX firewall with pfSense. This is far from the first person who has replaced a PIX with pfSense, we know of numerous others ranging from the small office PIX 501 to the enterprise class PIX 535. In most networks, pfSense can do everything the PIX can, and at a significantly lower cost even with commercial support.

Another person with a blog entry with a nice multi-WAN howto.

Write up something about pfSense on your site you would like to share? mailto:coreteam@pfsense.org a link to us, we’d be glad to link it here.