2 Firewalls Carp'd + OpenVPN can access all LAN IP's except 2nd FW
-
I've successfully loaded pfsense w/CARP onto (2) compact flash firewall boxes. I setup OpenVPN on box 1 and can connect with the client in routing mode; however, I cannot access the second the firewall via the VPN. I can access the second firewall from a LAN host so I am at a loss as to why the VPN client cannot, especially when I can access all other hosts. All firewall rules are confirmed the same, as they are CARP'd.
Any assistance is appreciated.
-
So to confirm:
LAN pfsense box IP Address example 192.168.0.1
LAN pfsense box IP address example 192.168.0.2
LAN pfsense VIRTUAL IP address example 192.168.0.3Use your IP address range, which IP address can you connect to through the VPN?
Try all three and let me know what you can connect too.I am thinking that you need to connect via 192.168.0.2 to get to the second pfsense box.
-
I experience exactly the same problem.
And yes, I am trying to reach the physical LAN address of the seond firewall.
Thanks for any helpAriel
-
I was about to post a thread about this but searched first. Has anyone figured out a solution to this?
-
Well I figured out the problem, but I can't come up with a way to fix it (for me) yet. Let's say your client network (the client to the CARPed firewalls) is 10.20.30.0/24. The server network is 10.40.50.0/24, firewall A is 10.40.50.1 and firewall B is 10.40.50.2.
If the client tries to connect to 10.40.50.1 it works fine of course. If the client tries to connect to 10.40.50.2 it goes out on the LAN from 10.40.50.1 correctly, the problem here is actually the reply from 10.40.50.2, because it has no route to 10.20.30.0/24. You can solve this by adding a static route on firewall B (10.40.50.2) on the LAN for 10.20.30.0/24 with the gateway set to 10.40.50.1. This only works if firewall A is the VPN server and firewall B is not (if firewall A is down, there is no VPN connection).
In my situation, I have the OpenVPN server configuration duplicated on both firewalls, and I have it listening on the CARP WAN IP. The client connects to the CARP IP so that if one firewall goes down, it will reconnect to the other one automatically as soon it picks up the CARP IP. That part of it works fine, but I can never connect to the server I'm not connected to.
I can't add a static route because both have routes for 10.20.30.0 already even if the tunnel is not up and as far as I can tell there's no way I can change this behavior, or otherwise allow for automatically changing the route.