Can't connect to client network?
-
I didn't disable automatic rule-generation, at least not explicitly. How can I check that?
Edit: Found the option in System –> Advanced, it's not disabledFrom what I understand, I should add this options:
FW1 as client
route 192.168.2.1 255.255.255.255;
route 0.0.0.0 128.0.0.0;
route 128.0.0.0 128.0.0.1;FW2 as client
route 192.168.3.1 255.255.255.255;
route 0.0.0.0 128.0.0.0;
route 128.0.0.0 128.0.0.1;FW3 as server
route 192.168.1.1 255.255.255.255;
route 192.168.2.1 255.255.255.255;Is this correct?
After those changes:
Ping LAN1 --> LAN2: works
Ping LAN2 --> LAN1: doesn't work
Ping LAN2 --> LAN3: works
Ping LAN3 --> LAN2: doesn't work (that's new)
Ping LAN1 --> LAN3: doesn't work
Ping LAN3 --> LAN1: Works!!! (that's new)Edit: "Ping LAN3 --> LAN2" works again, without modifications ???
-
-
Ugh. It's getting hard to do this all in my head ^^"
Sorry i messed up your routing table :D I just noticed i wrote an error before.
You need to redirect everything 0.0.0.0/1 and 128.0.0.0/1
/1 is 127.0.0.0 and not 127.0.0.1 >_<The /32 (255.255.255.255) routes are not really needed.
They just are there to ensure you really send traffic to the other side of the tunnel even if you have a router in between.
They dont hurt but for this setup i think you can safely leave them away.Are you sure that 1 and 2 are client and only 3 is the server?
Dont you mean
Link1-2: 1 is client, 2 is server
Link2-3: 2 is client, 3 is server
?I'll try to write up a list of how your custom routes should look like:
Your link-pool is according to http://forum.pfsense.org/index.php/topic,23854.msg122952.html#msg122952S1-client:
route 0.0.0.0 127.0.0.0;
route 128.0.0.0 127.0.0.0;
dev tun12;S2-server:
route 192.168.1.0 255.255.255.0;
dev tun21;S2-client:
route 0.0.0.0 127.0.0.0;
route 128.0.0.0 127.0.0.0;
dev tun23;S3-server:
route 192.168.2.0 255.255.255.0;
route 192.168.3.0 255.255.255.0;
dev tun32;If you deactivated automatic rule generation you need to assign the new tun interfaces (firewall –> assign).
After assigning them you need to activate it on it's config page.
Put as IP "none" and leave the gateway field empty.
Then create firewall rules on the new interface. -
Thanks for being patient!.
Are you sure that 1 and 2 are client and only 3 is the server?
I meant I only setup the client parameters for fw2, as the route to LAN1 should be setup using the remote network parameter.
This is correct:Dont you mean Link1-2: 1 is client, 2 is server Link2-3: 2 is client, 3 is server?
I'll try to write up a list of how your custom routes should look like:
Fixed the configuration as suggested.
If you deactivated automatic rule generation you need to assign the new tun interfaces (firewall --> assign).
I haven't disable the automatic rule generation, should I?
This are the routes now:
This doesn't work:
Ping LAN1 –> LAN3
Ping LAN2 --> LAN1 -
Well if you don't, you don't have the option to create firewall rules for the OpenVPN interface.
So yes i would activate that, but later.
For now we need to get routing up and running correctly.How exactly are you testing if your tunnels are up?
Did you connect clients in the LAN subnet?
Or are you pinging from the pfSenses directly? -
I have as client:
LAN1: Linux VM
LAN2: Windows VM
LAN3: Linux VMTested from LAN clients and also from FW in each site
-
Sorry i only just saw your screenshots.
I wrote an error again.
I saw in your first screenshots that you had as subnet for the overwriting subnet /80000001
This was wrong. I didn't realize that it was because of 127.0.0.1.
Now with 128.0.0.0 it's 7f000000 which is just as bad…
It should just be /1 (or 80000000). So in the end it really has to be 127.0.0.0
Sorry. -
That would be something like this?
S1-client: route 0.0.0.0 127.0.0.0; route 127.0.0.0 127.0.0.0; dev tun12; S2-server: route 192.168.1.0 255.255.255.0; dev tun21; S2-client: route 0.0.0.0 127.0.0.0; route 127.0.0.0 127.0.0.0; dev tun23; S3-server: route 192.168.1.0 255.255.255.0; route 192.168.2.0 255.255.255.0; dev tun32;
-
More like this:
S1-client:
route 0.0.0.0 128.0.0.0;
route 128.0.0.0 128.0.0.0;
dev tun12;S2-server:
route 192.168.1.0 255.255.255.0;
dev tun21;S2-client:
route 0.0.0.0 128.0.0.0;
route 128.0.0.0 128.0.0.0;
dev tun23;S3-server:
route 192.168.1.0 255.255.255.0;
route 192.168.2.0 255.255.255.0;
dev tun32; -
Wasn't that already tested?
Ref: http://forum.pfsense.org/index.php/topic,23854.msg122983.html#msg122983
-
Not according to the screenshot of the routes you posted in the link.
You have as subnet /7F000000 which is wrong. It should be /80000000 ( displayed as /1 ) -
Double checked, the above configuration gives 0.0.0.0/7F00000
-
For the record, got working the 3-site routed VPN with this changed topology:
Site1 <-> Site2 <-> Site3 <-> Site1The missing bit was to add routes for the Site2 FW before redirecting the default gw on the other two sites.
FW1 LAN1: 192.168.1.0 WAN: 10.10.1.2 --> intersite gw: 10.10.1.1 LAN2: 192.168.2.0 OPT1: 10.10.2.2 --> intersite gw: 10.10.2.1 WAN: Internet LAN3: 192.168.3.0 WAN: 10.10.3.2 --> intersite gw: 10.10.3.1
Site1 as client:
route 10.10.2.0 255.255.255.252 10.10.1.1; route 10.10.3.0 255.255.255.252 10.10.1.1; route 0.0.0.0 128.0.0.0; route 128.0.0.0 128.0.0.0; dev tun12;
Site1 as server:
route 192.168.3.0 255.255.255.0; dev tun13;
Site2 as client:
route 192.168.1.0 255.255.255.0; dev tun21;
Site2 as server:
route 192.168.3.0 255.255.255.0; dev tun23;
Site3 as server:
route 10.10.1.0 255.255.255.252 10.10.3.1; route 10.10.2.0 255.255.255.252 10.10.3.1; route 0.0.0.0 128.0.0.0; route 128.0.0.0 128.0.0.0; dev tun32;
Site3 as client:
route 192.168.1.0 255.255.255.0; dev tun31;
Thanks a lot to GruensFroeschli for the tip about redirecting default gw. Just out of curiosity, the two routes for that trick do the same as "redirect-gateway def1"?