Nat & routing on OPENVPN
-
Hey NG,
i don't know if here the best NG for my problem,
I am new at PFsense. I am planning my Remote Access to office by OPENVPN.
The tunnel comes up. i can ping local interface of PFSENSE firewall but i can't routing LAN server.
This is my situationLAPTOPS(192.168.19.0/24)–WAN -- ROUTER -- PFSENSE (STATIC NAT with public IP) -- SERVERS LANS (192.168.126.0/24)
i added routing rules on servers lans but i don't route :(
I tested with tcpdump on Pfsense and packets arrive but don't routing
Can you hint me where is the problem ?With IPSEC VPN all works....
Thanks to all
Stefano -
Hello,
I kind of have the same problem but with a spin:- pfSense at one office (office 1) with OpenVPN server and one at another office (office 2) with OpenVPN client set (OVPN from site to site)
I can ping the office 2 pfSense but I cannot access the LAN behind it but the other way around works, so from the office 2 LAN i can access the office 1 LAN
Does anyone has an idea about it.
I'm also kind of new to pfSense so I mite have made a silly mistake in the configuration but I cannot see what.Thank you in advance.
- pfSense at one office (office 1) with OpenVPN server and one at another office (office 2) with OpenVPN client set (OVPN from site to site)
-
Can you guys post your configuration on both server and client side?
-
Hi, yes i will but i'll need a bit of time to get all the infos from the configuration.
Thank you very much for your interest in our problem.OK the information on the 2 firewalls and the network:
** They are linked with a Site-to-Site VPN, and a MS Domain is working through it (not sure if this is important)- The main Firewall:
- 2 interfaces: WAN(static ip) and LAN(No bridging, 192.168.3.100/24, Disable the userland FTP-Proxy application)
- Firewall: only configured rules as:
LAN: pass (there was a second network but it is no longer so this is kind of useless)
| * | LAN net | * | 192.168.1.0/24 | * | * | | to 192.168.1.x |
| * | 192.168.1.0/24 | * | * | * | * | | 192.168.1.x subnet |
| * | LAN net | * | * | * | * | | Default LAN -> any |WAN: pass
| * | * | * | * | * | * | | pass in all test rule |
| TCP/UDP | * | * | * | 443 (HTTPS) | * | | Allow TCP/UDP to OpenVPN Server Port |
| TCP/UDP | * | * | * | 1191 | * | | Allow TCP/UDP to OpenVPN Server Port |PPTP VPN: pass
| * | PPTP clients | * | * | * | * | | allows incoming PPTP |
IPSEC: pass
| * | * | * | * | * | * | | Permit IPSEC |
-
Services: default
Enable DHCP server on LAN interface: FALSE
Subnet 192.168.3.0
Subnet mask 255.255.255.0
Available range: (192.168.3.0 - 192.168.3.255 ) - default readonly -
VPN:
- IPsec
Tunnels: Enabled IPsec
Mobile clients: Allow mobile clients:FALSE (basic config) - PPTP: Enabled PPTP server
Server address : xx.xx.xx.xx
Remote address range: 192.168.50.x/28
….
WINS server: 192.168.3.128 - OpenVPN : Server
1. No TCP 192.168.10.0/24 ovpn
** For external connections via OpenVPN client application
Protocol: TCP
Dymanic IP : true
Local port: 443
Address pool: 192.168.10.0/24
Local network: 192.168.3.0/24
Cryptography: BF-CBC(128bit)
Authentication method: PKIDHCP-Opt.: DNS-Server: 192.168.3.128
Custom options:push "dhcp-option DNS 192.168.3.128";push "dhcp-option DNS 192.168.3.129";push "dhcp-option WINS 192.168.3.128"; push "route 192.168.9.0 255.255.255.0";
2. No TCP 192.168.11.0/24 Office 2 Server
Protocol: TCP
Dymanic IP : true
Local port: 1191
Address pool: 192.168.11.0/24
Remote network: 192.168.9.0/24Cryptography: BF-CBC(128bit)
Authentication method: Shared keyDHCP-Opt.: NetBIOS node type: none
LZO compression: true
Description: Office 2
ALL THE REST THAT ARE NOT DISPLAYED EITHER ARE NOT SET OR DISABLED
- The client, office 2, Firewall:
- System: there are 4 static routes, like 160.58.134.x, which point to the office 1 firewall 192.168.3.100
- 2 interfaces: WAN(static ip) and LAN(No bridging, 192.168.9.100/24, Disable the userland FTP-Proxy application)
- Firewall: only configured rules as:
LAN: nothing
WAN: pass
| TCP/UDP | * | * | * | 1191 | * | | Tunnel |
-
Services: default
Enable DHCP server on LAN interface: TRUE
Subnet 192.168.9.0
Subnet mask 255.255.255.0
Available range 192.168.9.0 - 192.168.9.255 -
VPN:
- IPsec
Tunnels: Enabled IPsec: FALSE (not enabled) - PPTP: Off
- OpenVPN : Client
No Firewall_1_WAN_IP TCP Tunnel Connection 2 Office 1
Protocol: TCP
Server address : Firewall_1_WAN_IP (xx.xx.xx.xx)
Server port: 1191
Interface IP: 192.168.11.0/24
Remote network: 192.168.3.0/24
Proxy port: 3128
Cryptography: BF-CBC(128bit)
Authentication method: Shared keyLZO compression: true
Description: Tunnel 2 Office 1
The rest is common configuration, default.
So there is the office 1 network and the office 2 network, and then there are the ones for Site-to-Site VPN (192.168.11.x) and the one for the exterior VPN connection (192.168.10.x) - in which the clients can see each other even if they are in Office 1 or Office 2, what and where should I add a routing for the Office 1 to see the Office 2 clients?Note: No client from the office 1 can access the network at office 2 and no client from the office 2 can access its network mates if they have activated the OpenVPN Client App (which connects to the Office 1 VPN 1)
Thank you very much
- The main Firewall: