OpenVPN Multiple Gateways
-
-
It looks like all the LAN interfaces of your three pfsense are on the same subnet, rght?
So if you have access with OpenVPN to pfsense3 then your VPN is working.Check on pfsense2 and pfsense1 if you allow your OpenVPN IP-Subnet on the LAN firewall rule. Often there is only a rule which allows all traffic from "LAN Subnet" but your OpenVPN traffic is not originated from LAN subnet but from OpenVPN subnet.
Further make sure that your OpenVPN Tunnel network does not overlap with your LAN network (10.0.1.0/24). Overklapping networks on both sites could cause trubles.
Question:
Why are you using three pfsense boxes and not just one with LoadBalancing ? If this is only because of your servers then you can do policy based routing on pfsense LAN interface and rout server1 traffic through pfsense1 gateway and so on. -
Yes all the pfsense boxes are on the same subnet.
The VPN does work. (I just can't access the servers on the different gateways)Should I change the VPN subnet to something like 10.0.1.0/30?
The reason for the multiple pfsense boxes is for reliability if one goes out we don't want everything to go out and we have a lot of traffic like TBs a month.
pfsense 10.0.0.1 route:
pfsense 10.0.0.1 rule:
-
I changed the subnet for the VPN to 29 from 24 (I changed the subnet in the route and rule on 10.0.0.1 also)
The traffic is still getting blocked even with the rule posted above
This is the firewall log from pfsense 10.0.0.1
-
Hi again,
no need for any static routes to make OpenVPN work.
Your LAN is 10.0.0.0/24 - this is OK
Your VPN is 10.0.1.0/24 - this is OKFrom Your OpenVPN client you can access 10.0.0.3 - right?
If this is working, than I assume your OpenVPN is correct and your firewall rules for OpenVPN on pfsense 10.0.0.3 are correct. What you have to do is:-
allow traffic from 10.0.1.0/24 on pfsense 10.0.0.1 and pfsense 10.0.0.2 LAN interfaces as source address
-
allow traffic from 10.0.1.0/24 on your servers 10.0.0.10, 10.0.0.20, 10.0.0.30 (firewall)
-
-
Same results.
I changed the subnet back to 24
removed they gateway and route to 10.0.1.0/24The servers do not have a firewall on them.
I added these rules:
This is the traffic being blocked by firewall on 10.0.0.1 (10.0.0.23 is the server i am trying to access)
-
The firewall on 10.0.0.1 drops SYN-ACK from 10.0.0.23 since it has no corresponding state. That's because initial SYN 10.0.1.6 -> 10.0.0.23 goes directly, not trough 10.0.0.1.
So first of all in System: Advanced: Firewall and NAT check 'Bypass firewall rules for traffic on the same interface', then of course bring the static routes back. -
The firewall on 10.0.0.1 drops SYN-ACK from 10.0.0.23 since it has no corresponding state. That's because initial SYN 10.0.1.6 -> 10.0.0.23 goes directly, not trough 10.0.0.1.
So first of all in System: Advanced: Firewall and NAT check 'Bypass firewall rules for traffic on the same interface', then of course bring the static routes back.Thank you! This worked perfectly!
-
I have one other question about openVPN.
I have```
Redirect Gateway Force all client generated traffic through the tunnel.http://10.0.0.20/ –---> Through the VPN http://google.com/ ---> Through clients ISP -
I have one other question about openVPN.
I have```
Redirect Gateway Force all client generated traffic through the tunnel.http://10.0.0.20/ –---> Through the VPN http://google.com/ ---> Through clients ISPUncheck the "redirect all traffic through gateway" and set as the remote network on OpenVPN server your 10.0.0.0/24 network.
Restart OpenVPN server and reconnect OpenVPN client.On OpenVPN client you can see with "netstat -rn" that there is a static route entry for the OpenVPN network and the rest will use your ISP.
-
Thank You. That worked.