All traffic pfSense to Linuxbox FW
-
Hello All,
In the office building we have main firewall based on linux fedora.
In one of our branch offices we have pfSense.
I have established OpenVPN connection between them but I have problem with routing the traffic correctly.
The goal is all traffic from pfSense LAN net 192.168.13.0/24 to be routed over OpenVPN trough main Fedora firewall.Here is OpenVPN server config from linuxbox
ca keys/ca.crt
cert keys/xxxxxxxx.crt
comp-lzo yes
dev tun1
dh /etc/openvpn/keys/dh1024.pem
fast-io
float
crl-verify /etc/openvpn/keys/crl.pem
keepalive 10 120
key keys/xxxxxxx.key
mlock
mode server
persist-key
persist-tun
port 1195
tls-server
local 95.95.95.91
proto udp
server 192.168.250.0 255.255.255.0
status /var/log/openvpn-status-wh.log
log-append /var/log/openvpn-wh.log
verb 1#Routes pushing to the client section
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.252.0 255.255.255.0"
push "route 192.168.253.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.5"When I use NAT to masquerade whole traffic from 192.168.13.0/24 to OpenVPN interface. The job is done. But I want not to use NAT, just routing.
I have attached the topology diagram.
10x in advance :)
-
and what is in the pfSense client OpenVPN config? Anything to tell the server end that the tunnel to the client is the route back to 192.168.13.0/24?
perhaps you can just add that explicitly to the server:route 192.168.13.0 255.255.255.0
-
In the pfSense client config there is nothing, because I push routes from server side (linuxbox) to client (pfSense),
I posted this in my first post. This is server config:
. . . push "route 192.168.0.0 255.255.255.0" push "route 192.168.252.0 255.255.255.0" push "route 192.168.253.0 255.255.255.0" push "redirect-gateway def1" push "dhcp-option DNS 192.168.0.5"
In the linux config there have been created so many IP addresses for OpenVPN so I don't know which is the gateway for 192.168.0.13/24
ifconfig tells:
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.250.1 P-t-P:192.168.250.2 Mask:255.255.255.255netstat -rn tells:
[8:12:42 PM] Atanas Manoilov HDS: [root@fw ~]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.250.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.250.0 192.168.250.2 255.255.255.0 UG 0 0 0 tun1
192.168.252.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.253.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 x.x.x.x 0.0.0.0 UG 0 0 0 eth3 -
In you Linux end OpenVPN server config, just add:
route 192.168.13.0 255.255.255.0
That should tell it that the link is a route to 192.168.13.0/24
-
10x a lot,
it was enough for me to understand :)