Access Opt1 network from different subnets

wallabybob

You probably need a static route on each of pfsense 1, pfSense 3 and Netgear so they know how to access the IP phone subnet.

pfSense 2 doesn't need a static route to access the IP phone subnet because it has an interface in that subnet.

reynolwi

ok I can setup a static route on each of the other boxes, but what am I telling it as the interface. Im a totally newbie at pfsense so Im learning as i go.  Since all the networks are connected via VPN IPSec tunnels am i telling the static route to use interface LAN and then the remote subnet is 10.25.22.0/24 and its gateway is 10.25.19.254 since that is pfsense2?

Im trying to get this all figured out because next I have to figure out how to get the voip phones to connect to the voip pbx which sits on the 10.25.18.0 subnet and the phones at the pfsense2 site will be on the 10.25.22.0 subnet on the optional interface.

Ive always used like netgear vpn routers and such so getting this all set back up is a definate learning experience.

wallabybob

You haven't provided topology so its difficult to say exactly what you should specify.

From the Web GUI System -> Static routes select the approriate interface from the pull down list, then specify the remote subnet and mask (10.25.22.0/24) and then the pfSense IP address of the interface on the same subnetwork as the pfSense boxes and netgear router. (I'm guessing you have your pfsense systems all have interfaces on the same subnetwork so they can communicate with each other.)

reynolwi

Ok our topology is as shown below.

pfsense 1 (cable modem – pfsense1 -- switch)

suddenlink isp (dyn ip)
                  |
                  |
             pfsense1 (lan interface 10.25.18.254)
          10.25.18.0/24
          255.255.255.0
               /  
              /    
             /       ___ Access point 10.25.18.253
            |
           switch
             |
             |____ exchange server, asterisk voip pbx, domain controller
                      5 voip phones, 6 workstations

---

pfsense 2 (cable modem -- pfsense2 -- switch)

suddenlink isp (dyn ip)
                  |
                  |
             pfsense2 (lan 10.25.19.254 / phone 10.25.22.254)
                /  
               /    
              /      10.25.22.0/24 (dhcp enabled on pfsense for this interface only)
             /       255.255.255.0
            |                      
            |                       
    10.25.19.0/24             7 voip phones (dhcp from pfsense box)
    255.255.255.0
           /  
          /    
         /       ___ Access point 10.25.19.253
        |
      switch
          |
          |____ domain controller, 8 workstations

---

pfsense3 (cable modem -- pfsense1 -- switch)

suddenlink isp (dyn ip)
                  |
                  |
             pfsense3 (lan interface 10.25.21.254)
          10.25.21.0/24
          255.255.255.0
               /  
              /    
             /       ___ Access point 10.25.21.253
            |
           switch
             |
             |____ domain controller, 3 workstations, 2 voip phones

---

netgear firewall/vpn (dsl modem -- netgear -- switch)

at&t isp (dhcp ip)
                  |
                  |
             netgear vpn/firewall (lan ip 10.25.20.254)
          10.25.20.0/24
          255.255.255.0
                 |
                 |____ domain controller, 3 workstations

---

I think i laid it out enough where you can follow it.  I really only have to be able to access the phone subnet on pfsense2 on the pfsense boxes because i will be replacing that netgear router here shortly.  I attached a screenshot of the static route config for pfsense1 hopeing I have it setup right.

reynolwi

I still have yet to be able to get this to work right for some reason.

Eugene

Let's narrow down your problem - you wan to reach 10.25.22.0/24 from 10.25.18.0/24.
You said that you have site-to-site vpn tunnels. So question number one: does your ipsec between pfSense1 and pfSense2 consider this traffic as 'interesting'? If not then I think you have to set up separate tunnel to handle this traffic.
Can you give us your ipsec configs?
PS: your static route picture is senseless, it's not going to work

reynolwi

On pfsense1 (10.25.18.0/24) the IPSec tunnel is as follows

Interface: WAN
NAT-T: Disabled
DPD interval: BLANK
Local Subnet: LAN Subnet
Remote Subnet: 10.25.19.0/24
Remote Gateway: xxx.xxx.com
–------
Negotiation mode: main
My Identifier:  My IP Address
Encryption Algorithm:  3DES
Hash Algorithm: SHA1
DH Key Group: 2 (1024 bit)
Lifetime: BLANK
Authentication Method: Preshared Key
Pre-Shared Key: xxxxxxxxxx
Certificate: BLANK
Key: BLANK
Peer Certificate: BLANK

Protocol: ESP
Encryption Algorithms: 3DES, Blowfish, CAST128, Rijndael (AES), Rijndael 256
Hash Algorithms: SHA1, MD5
PFS Key Group: OFF
Lifetime: BLANK
Keep Alive: 10.25.19.254

pfsense2 is setup the same way just just with the correct subnet and gateway information changed.  I did try and create a VPN tunnel just a few minutes ago from pfsense1 to pfsense2 using the opt interface information on pfsense2. It connected but did not allow any traffic thru because I could not ping 10.25.22.254 or the switch 10.25.22.253

Eugene

Good. You do  need this second tunnel.
Did you allow ICMP to 192.10.25.22.0/24 in rules at LAN on pfSense1 and at IPSEC interface on pfSense2?
If yes then you should be able to ping at least 192.10.25.22.x pfSense2 interface.

reynolwi

I have the rules on the IPSec tunnels to allow anything to come in and out from the tunnels. I attached my IPSEC firewall page so you can look at it.  Ive already tried to create a IPSec tunnel to the second network on pfsense2 but it wasnt allowing any traffic.

The IPSec Rules are identical on every pfsense box I setup. I also attached the WAN Firewalls rules for the pfsense1 box and the LAN rules are set basically like the IPSec rules with the source as LAN Subnet and allow all.

Eugene

As you are trying to reach 10.25.22.0/24 from 10.25.18.0/24 it would be interesting to look at rules you have at the interface connected to 10.25.18.0/24 network (LAN I suspect). pfSense apply rules whe a packet enters pfSense not when it leaves.

reynolwi

Here is the LAN Rules for pfsense1 - 10.25.18.0

reynolwi

Here are the LAN Rules for both pfsense2 subnets - 10.25.19.0 & 10.25.22.0

reynolwi

and here are the WAN and IPSec rules for pfsense2.

Eugene

Ok. Please from both pfSenses

setkey -D
setkey -DP

And at pfSense1 run continuous ping to 10.25.22.x (ip address of the pfSense2 interface).
At the same time at pfSense2 run

tcpdump -i <wan int="">-n esp</wan>

where <wan int="">is WAN interface name.</wan>

reynolwi

so in the console I need to this on both pfsenses?

Eugene

console or ssh session. (it's kind of hard to copy-paste) from console…

reynolwi

OK i ssh into each box what option do I use to do all this. I will post back in a second

Eugene

Install Putty software http://www.putty.org/
then Enable Secure Shell on both pfSenses System->Advanced
Connect to the box with root and your password and choose 8) shell.
CAREFUL! you can destroy the system, you have full power now.
Now you can execute commands I gave you earlier.
I've never used php console, so I can't not tell you how to use it, but I suspect it gives you the same result as the method described above.

reynolwi

this is what came from pfsense2.

13:38:53.031131 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e31), length 76
13:38:53.034763 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c2), length 340
13:38:53.039349 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e32), length 428
13:38:53.053124 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c3), length 156
13:38:53.053743 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e33), length 132
13:38:53.066648 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c4), length 180
13:38:53.068800 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e34), length 212
13:38:53.086310 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c5), length 1480
13:38:53.087144 IP 74.192.197.63 > 74.197.181.236: esp
13:38:53.088697 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c6), length 404
13:38:53.090259 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e35), length 76
13:38:53.091378 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e36), length 124
13:38:53.108205 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c7), length 140
13:38:53.108915 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e37), length 380
13:38:53.122254 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c8), length 316
13:38:53.125367 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e38), length 124
13:38:53.138263 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c9), length 140
13:38:53.138804 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e39), length 212
13:38:53.154298 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ca), length 300
13:38:53.156573 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3a), length 244
13:38:53.170306 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cb), length 268
13:38:53.171327 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3b), length 228
13:38:53.184349 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cc), length 396
13:38:53.186403 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3c), length 244
13:38:53.200359 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cd), length 268
13:38:53.201251 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3d), length 228
13:38:53.214387 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ce), length 316
13:38:53.216420 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3e), length 244
13:38:53.230397 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cf), length 348
13:38:53.231298 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3f), length 260
13:38:53.244431 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d0), length 348
13:38:53.246330 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e40), length 276
13:38:53.272971 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d1), length 348
13:38:53.274156 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e41), length 260
13:38:53.287994 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d2), length 268
13:38:53.289870 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e42), length 244
13:38:53.304015 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d3), length 316
13:38:53.304953 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e43), length 228
13:38:53.332548 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d4), length 268
13:38:53.334488 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e44), length 244
13:38:53.346070 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d5), length 268
13:38:53.346821 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e45), length 228
13:38:53.360599 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d6), length 380
13:38:53.362673 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e46), length 244
13:38:53.382102 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d7), length 268
13:38:53.383175 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e47), length 244
13:38:53.398635 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d8), length 116
13:38:53.400207 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e48), length 116
13:38:53.506570 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e49), length 1468
13:38:53.506886 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4a), length 852
13:38:53.507666 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4b), length 1468
13:38:53.521700 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4c), length 804
13:38:53.611921 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d9), length 84
13:38:53.612580 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4d), length 1468
13:38:53.612861 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4e), length 892
13:38:53.615945 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7da), length 84
13:38:53.619934 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7db), length 140
13:38:53.627684 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4f), length 84
13:38:53.629963 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7dc), length 76
13:38:53.645967 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7dd), length 84
13:38:54.018527 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7de), length 92
13:38:54.019432 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e50), length 92
13:38:54.032020 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7df), length 84
13:38:54.032126 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e0), length 84
13:38:54.033097 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e51), length 84
13:38:54.033208 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e52), length 84
13:38:54.046040 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e1), length 76
13:38:54.046143 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e2), length 76
13:38:54.050057 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e3), length 212
13:38:54.050818 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e53), length 260
13:38:54.067755 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e4), length 1480
13:38:54.068554 IP 74.192.197.63 > 74.197.181.236: esp
13:38:54.072097 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e5), length 460
13:38:54.072635 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e54), length 76
13:38:54.074125 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e55), length 356
13:38:54.091751 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e6), length 172
13:38:54.092336 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e56), length 132
13:38:54.107664 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e7), length 180
13:38:54.108376 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e57), length 212
13:38:54.123779 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e8), length 1480
13:38:54.124631 IP 74.192.197.63 > 74.197.181.236: esp
13:38:54.130687 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e9), length 412
13:38:54.131174 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e58), length 76
13:38:54.131278 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e59), length 124
13:38:54.150197 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ea), length 140
13:38:54.150682 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5a), length 260
13:38:54.166247 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7eb), length 284
13:38:54.166714 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5b), length 124
13:38:54.183257 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ec), length 140
13:38:54.183813 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5c), length 436
13:38:54.196803 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ed), length 420
13:38:54.197303 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5d), length 124
13:38:54.211797 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ee), length 140
13:38:54.212322 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5e), length 212
13:38:54.227822 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ef), length 276
13:38:54.228656 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5f), length 212
13:38:54.242354 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f0), length 244
13:38:54.242917 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e60), length 196
13:38:54.258384 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f1), length 372
13:38:54.259049 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e61), length 212
13:38:54.273882 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f2), length 244
13:38:54.274423 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e62), length 196
13:38:54.290429 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f3), length 292
13:38:54.291073 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e63), length 212
13:38:54.305925 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f4), length 244
13:38:54.306454 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e64), length 212
13:38:54.320471 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f5), length 244
13:38:54.321181 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e65), length 212
13:38:54.335979 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f6), length 116
13:38:54.336360 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e66), length 116
13:38:54.501690 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f7), length 76
^C
1382 packets captured
3834 packets received by filter
0 packets dropped by kernel

Eugene

Ohhh.. I forgot that you have two tunnels… it's impossible to say whether  esp packet belongs to the first tunnel or to the second.
What about setkey commands output?