Can't connect to client network?
-
Thanks for being patient!.
Are you sure that 1 and 2 are client and only 3 is the server?
I meant I only setup the client parameters for fw2, as the route to LAN1 should be setup using the remote network parameter.
This is correct:Dont you mean Link1-2: 1 is client, 2 is server Link2-3: 2 is client, 3 is server?I'll try to write up a list of how your custom routes should look like:Fixed the configuration as suggested.
If you deactivated automatic rule generation you need to assign the new tun interfaces (firewall --> assign).I haven't disable the automatic rule generation, should I?
This are the routes now:
FW1
FW2
FW3
This doesn't work:
Ping LAN1 –> LAN3
Ping LAN2 --> LAN1 -
Well if you don't, you don't have the option to create firewall rules for the OpenVPN interface.
So yes i would activate that, but later.
For now we need to get routing up and running correctly.How exactly are you testing if your tunnels are up?
Did you connect clients in the LAN subnet?
Or are you pinging from the pfSenses directly? -
I have as client:
LAN1: Linux VM
LAN2: Windows VM
LAN3: Linux VMTested from LAN clients and also from FW in each site
-
Sorry i only just saw your screenshots.
I wrote an error again.
I saw in your first screenshots that you had as subnet for the overwriting subnet /80000001
This was wrong. I didn't realize that it was because of 127.0.0.1.
Now with 128.0.0.0 it's 7f000000 which is just as bad…
It should just be /1 (or 80000000). So in the end it really has to be 127.0.0.0
Sorry. -
That would be something like this?
S1-client: route 0.0.0.0 127.0.0.0; route 127.0.0.0 127.0.0.0; dev tun12; S2-server: route 192.168.1.0 255.255.255.0; dev tun21; S2-client: route 0.0.0.0 127.0.0.0; route 127.0.0.0 127.0.0.0; dev tun23; S3-server: route 192.168.1.0 255.255.255.0; route 192.168.2.0 255.255.255.0; dev tun32; -
More like this:
S1-client:
route 0.0.0.0 128.0.0.0;
route 128.0.0.0 128.0.0.0;
dev tun12;S2-server:
route 192.168.1.0 255.255.255.0;
dev tun21;S2-client:
route 0.0.0.0 128.0.0.0;
route 128.0.0.0 128.0.0.0;
dev tun23;S3-server:
route 192.168.1.0 255.255.255.0;
route 192.168.2.0 255.255.255.0;
dev tun32; -
Wasn't that already tested?
Ref: http://forum.pfsense.org/index.php/topic,23854.msg122983.html#msg122983
-
Not according to the screenshot of the routes you posted in the link.
You have as subnet /7F000000 which is wrong. It should be /80000000 ( displayed as /1 ) -
Double checked, the above configuration gives 0.0.0.0/7F00000
-
For the record, got working the 3-site routed VPN with this changed topology:
Site1 <-> Site2 <-> Site3 <-> Site1The missing bit was to add routes for the Site2 FW before redirecting the default gw on the other two sites.
FW1 LAN1: 192.168.1.0 WAN: 10.10.1.2 --> intersite gw: 10.10.1.1 LAN2: 192.168.2.0 OPT1: 10.10.2.2 --> intersite gw: 10.10.2.1 WAN: Internet LAN3: 192.168.3.0 WAN: 10.10.3.2 --> intersite gw: 10.10.3.1Site1 as client:
route 10.10.2.0 255.255.255.252 10.10.1.1; route 10.10.3.0 255.255.255.252 10.10.1.1; route 0.0.0.0 128.0.0.0; route 128.0.0.0 128.0.0.0; dev tun12;Site1 as server:
route 192.168.3.0 255.255.255.0; dev tun13;Site2 as client:
route 192.168.1.0 255.255.255.0; dev tun21;Site2 as server:
route 192.168.3.0 255.255.255.0; dev tun23;Site3 as server:
route 10.10.1.0 255.255.255.252 10.10.3.1; route 10.10.2.0 255.255.255.252 10.10.3.1; route 0.0.0.0 128.0.0.0; route 128.0.0.0 128.0.0.0; dev tun32;Site3 as client:
route 192.168.1.0 255.255.255.0; dev tun31;Thanks a lot to GruensFroeschli for the tip about redirecting default gw. Just out of curiosity, the two routes for that trick do the same as "redirect-gateway def1"?
