Need help with routings/rules? (pfsense as openvpn client)
-
hi all,
I'm trying to setup my pfsense to connect as openvpn client to our companies openvpn server. the connect itself, including pki authorization works. openvpn logs in the web-gui look fine, and when ssh-ing on the pfsense, i can ping/ssh/reach company network hosts.
i can, however, not reach anything from the remote subnet from my local network clients, i can only access it directly from the pfsense machine.now, i'm a bit confused about how the routings and firewall rules should look like in order to enable any client in my local network to access the remote network.
the configuration is like this:
local network (10.0.0.0) –- pfsense (router/openvpn client, 10.0.0.1) --- local vpn endpoint (10.0.1.210) --- WAN --- remote endpoint (10.0.1.209) --- remote network (192.168.0.0)
the routing table on my pfsense is:
Internet: Destination Gateway Flags Refs Use Mtu Netif Expire default lo1.br56.fra.de.hansenet.net UGS 0 7447 1492 ng0 10.0.0.0 link#2 UC 0 0 1500 vr1 10.0.0.40 00:1a:4d:4a:36:cb UHLW 1 92503 1500 vr1 1158 10.0.1.209 10.0.1.210 UH 26 0 1500 tun0 192.168.0.0 10.0.1.209 UGS 0 0 1500 tun0 ... etc
where 10.0.40 is my pc.
now, when i do ssh user@192.168.0.X from the shell on pfsense, i can connect. i can't, when doing this on my local pc/clients. i can ping the adress 10.0.1.210 (my local vpn endpoint) from my pc. i can't however ping the remote endpoint (i can do this from the pfsense shell). I cant traceroute the 10.0.1.210 neither:Host:~ s710$ ping 10.0.1.210 PING 10.0.1.210 (10.0.1.210): 56 data bytes 64 bytes from 10.0.1.210: icmp_seq=0 ttl=64 time=0.430 ms 64 bytes from 10.0.1.210: icmp_seq=1 ttl=64 time=0.205 ms ^C --- 10.0.1.210 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.205/0.318/0.430/0.112 ms Host:~ s710$ traceroute 10.0.1.210 traceroute to 10.0.1.210 (10.0.1.210), 64 hops max, 40 byte packets 1 * * *
i tried googling quite a bit, and so far i tried assigning a new interface (tun0 -> 'VPN', enabled, ip address 'none'), and adding a rule to permit traffic (had no effect). i also disabled any auto-added openvpn firewall rules (although i could not find any auto-created rules?), but didnt help.
so can someone guide me to the correct configuration?
-
The route TO the company works.
The problem is: the router at your company does not know where to send the response.Two ways to solve:
1: Add a route on your company's OpenVPN router.
2: NAT into the OpenVPN tunnel.Usually i would suggest 1. But i dont think this is feasible in your case.
I'm not sure if 2. works.
It "should"…. (I never tried).Did you follow the steps to be able to firewall the OpenVPN interface?
If yes: enable AoN (firewall --> NAT --> outbound --> "manual NAT rule generation"
And create a rule for your local subnet with as NAT interface the OpenVPN interface. -
I've done #2 sucessfully (not with pfsense, but a linux gateway, but same principle.)
-
The route TO the company works.
The problem is: the router at your company does not know where to send the response.Are you sure about this? Just to clearify:
On my pc (ip 10.0.0.40),
ssh user@192.168.0.x
won't do anything.When ssh'ing from 10.0.0.40 to my pfsense box (ip 10.0.0.1), issuing
ssh user@192.168.0.x
from there will successfully establish a ssh session between pfsense-box & company network hpst.Just today i tried the other way round, by leaving the openvpn running and connecting to my pfsense box from work. executing
ssh root@10.0.1.210
on my linux box at work successfully connected to my pfsense-box at home.this leaves me thinking that someting between local clients & pfsense box is wrong, be it firewall or routings. i havent tried to actually connect to any pc behind the pfsense though, i might try tomorrow.
i just tried the manual nat as well, but it didnt change anything :(
-
Are you sure about this?
Yes i am sure.
Your setup is the classic stumbling block if you're not really familiar with routing.I just tried the manual nat as well, but it didnt change anything Sad
Please describe a little more detailed what you did.
Can you show a screenshot of your AoN rules? -
Are you sure about this?
Yes i am sure.
Your setup is the classic stumbling block if you're not really familiar with routing.I just tried the manual nat as well, but it didnt change anything Sad
Please describe a little more detailed what you did.
Can you show a screenshot of your AoN rules?Hi there, i just got it to work :) The NAT rule i added yesterday had the subnets configured. Now just tried adding a new NAT rule for the vpn interface and any subnet, now everything works :)
thanks for your support :)