Routing problem with roadwarriors to alternative WAN interface (solved)
-
First: thanks a lot for helping me.
On my pfsense i have several of my customer networks mapped as static routes (as i said this works fine
from my LAN). These networks are for example:160.70.0.0/16
I tried to push these to my ovpn roadwarriors like this:
push "route 160.70.0.0 255.255.0.0";relevant "netstat -r" entry on a roadwarrior:
160.70.0.0 255.255.0.0 192.168.13.5 192.168.13.6 1my fw allows traffic from 192.168.13.0 (the dynamic ovpn nework) to my customer WAN-Interface.
Thanks in advantage.
-
Does your other side also know that the openVPN subnet is reachable through the pfSense?
-
damn good point… i always expected that, but you are right, a will have to doublechek this.
Thanks for the hint.
-
Alternatively you could enable advanced outbound NAT and NAT your openVPN subnet.
Of course you loose the ability to find out "who" is accessing something, but if you cannot get it to work otherwise it would be a solution. -
ok thx.
just that i get it right:
AON means that i NAT my 192.168.13.x to the WAN2 IP-adress of my pfsense pointing to my customer?
Is that correct?Also, if i enable AON i have to do this for all internal networks and tunnels i have, correct?
Thanks again for your time.
-
The AoN rules are bit like the firewall rules.
You specify criteria (source, destination) and if they are matched the traffic will be NATed to the interface/VIP you configured.So you basically would need a rule for each interface you have:
Interface: WAN
Source: 192.168.13.x/24
Destination: any
NAT-IP: WAN-addressInterface: WAN2
Source: 192.168.13.x/24
Destination: any
NAT-IP: WAN2-addressInterface: WAN3
Source: 192.168.13.x/24
Destination: any
NAT-IP: WAN3-address -
ok, i have recently spoken with the customer service, and the router to our customer
accepts only one IP adress from our site (so everything seems to be NATed by default
from pfsense if i see this right).The OVPN network for roadwarrior and our tunnel still can't connect, so i assume
that this is not done automatically from pfsense in this case (no NAT Rules active).Can someone please explain why it is like this? Shouldn't the ovpn networks be
seen like a "normal" LAN so that NAT works by default and the static routes too?Another question, can i use AON only for these two networks or do i have
do disable the automatic NAT completly for this?many thanks again.
-
pfSense doesnt NAT the openVPN-subnet per default.
http://forum.pfsense.org/index.php/topic,7001.0.html the red part.
Because the tun interface currently doesnt show up as an "interface".
The same reason why you cannot create firewallrules for the openVPN subnet.No you cannot enable AoN only for one subnet.
But what you can do is create an AoN rule that doesnt care about the source/destionation/etc.ie:
Interface: WAN
Source: any
Destination: any
NAT-IP: WAN-addressInterface: WAN2
Source: any
Destination: any
NAT-IP: WAN2-addressInterface: WAN3
Source: any
Destination: any
NAT-IP: WAN3-addressLike this you NAT any traffic from anywhere if it leaves via one of the interfaces specified in the rule(s).
-
thanks a lot for clearifing, i will try AON rules as suggested then.
-
AON works as expected, thanks again for your help.