Openvpn Routing Issue
-
Dear All
I have a problem for a vpn setup site to site
Network is as follows:
SITEA
Internet
+
+
+
Cisco 1900 Router - WAN PPPOE – LAN Nat - DHCP Enabled 192.168.1.0/24
+
+
+
Cisco Catalyst switch
+
+
+
+
Pfsense Acting as Openvpn Server - Dhcp disabled -LAN Fixed IP 192.168.1.19
Wan of PFsense is coming from another Internet connections
Openvpn tunnel is 10.8.8.1SITEB
Pfsense with OpenVPN Client - PPPOE
DHCP LAN with 192.168.109.100.
The main aim of VPN: SITEB Users should be able to access few servers on SITE A
From SITEA i can ping 192.168.109.x whole series via Pfsense console - No issue
From SITEB i can ping only 192.168.1.19 and One more IP which is an Access Point
Rest all of the network is unreachable.
I tried switch the smart ports on cisco to desktop, cisco switch, trunk but same resultsMy question is if I can reach SiteA LAN as well as another IP why i am unable to ping the other
PCs and Servers on the same network. I cannot change the ip range of that LANFollowing is the packet capture of SITEA Lan:
09:40:51.573279 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:51.745952 IP 192.168.1.113.52612 > 224.0.0.252.5355: UDP, length 24
09:40:51.845898 IP 192.168.1.113.52612 > 224.0.0.252.5355: UDP, length 24
09:40:52.046168 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
09:40:52.178151 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58656, length 64
09:40:52.455687 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:52.634048 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:52.795869 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
09:40:53.141434 IP 192.168.109.52 > 192.168.1.1: ICMP echo request, id 2, seq 2632, length 64
09:40:53.160256 ARP, Request who-has 192.168.1.2 tell 192.168.1.19, length 28
09:40:53.178998 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58657, length 64
09:40:53.180243 ARP, Request who-has 192.168.1.3 tell 192.168.1.19, length 28
09:40:53.200394 ARP, Request who-has 192.168.1.4 tell 192.168.1.19, length 28
09:40:53.220262 IP 192.168.109.52 > 192.168.1.5: ICMP echo request, id 2, seq 2636, length 64
09:40:53.234283 IP 192.168.1.116.137 > 192.168.1.255.137: UDP, length 50
09:40:53.240142 IP 192.168.109.52 > 192.168.1.6: ICMP echo request, id 2, seq 2637, length 64
09:40:53.240320 ARP, Request who-has 192.168.1.1 tell 192.168.1.6, length 46
09:40:53.260132 IP 192.168.109.52 > 192.168.1.7: ICMP echo request, id 2, seq 2638, length 64
09:40:53.280637 IP 192.168.109.52 > 192.168.1.8: ICMP echo request, id 2, seq 2639, length 64
09:40:53.280862 ARP, Request who-has 192.168.1.1 tell 192.168.1.8, length 46
09:40:53.300264 IP 192.168.109.52 > 192.168.1.9: ICMP echo request, id 2, seq 2640, length 64
09:40:53.304020 ARP, Request who-has 192.168.1.1 tell 192.168.1.9, length 46
09:40:53.320264 IP 192.168.109.52 > 192.168.1.10: ICMP echo request, id 2, seq 2641, length 64
09:40:53.516493 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:53.545921 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
09:40:53.657893 ARP, Request who-has 192.168.1.1 tell 192.168.1.10, length 46
09:40:53.694853 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:53.983308 IP 192.168.1.116.137 > 192.168.1.255.137: UDP, length 50
09:40:54.180158 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58658, length 64
09:40:54.577243 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:54.733326 IP 192.168.1.116.137 > 192.168.1.255.137: UDP, length 50
09:40:54.755635 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:54.940161 IP 192.168.109.52 > 192.168.1.1: ICMP echo request, id 2, seq 2642, length 64
09:40:54.940505 ARP, Request who-has 192.168.1.2 tell 192.168.1.19, length 28
09:40:54.941418 ARP, Request who-has 192.168.1.4 tell 192.168.1.19, length 28
09:40:54.941630 ARP, Request who-has 192.168.1.3 tell 192.168.1.19, length 28
09:40:54.942015 IP 192.168.109.52 > 192.168.1.8: ICMP echo request, id 2, seq 2646, length 64
09:40:54.942253 IP 192.168.109.52 > 192.168.1.5: ICMP echo request, id 2, seq 2648, length 64
09:40:54.942454 IP 192.168.109.52 > 192.168.1.10: ICMP echo request, id 2, seq 2647, length 64
09:40:54.942532 IP 192.168.109.52 > 192.168.1.6: ICMP echo request, id 2, seq 2649, length 64
09:40:54.942651 IP 192.168.109.52 > 192.168.1.7: ICMP echo request, id 2, seq 2650, length 64
09:40:54.942731 IP 192.168.109.52 > 192.168.1.9: ICMP echo request, id 2, seq 2651, length 64
09:40:54.997343 IP 192.168.1.156.138 > 192.168.1.255.138: UDP, length 225
09:40:55.181037 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58659, length 64
09:40:55.638053 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:55.816397 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:55.879489 ARP, Request who-has 192.168.1.1 tell 192.168.1.119, length 46
09:40:55.915142 IP 192.168.1.113.63437 > 255.255.255.255.19402: UDP, length 122
09:40:56.182132 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58660, length 64
09:40:56.257065 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
09:40:56.270454 IP 192.168.1.113.52894 > 224.0.0.252.5355: UDP, length 29
09:40:56.271369 ARP, Request who-has 192.168.1.1 tell 192.168.1.113, length 46
09:40:56.340713 ARP, Request who-has 192.168.1.1 tell 192.168.1.113, length 46
09:40:56.353693 ARP, Request who-has 192.168.1.1 tell 192.168.1.113, length 46
09:40:56.370015 IP 192.168.1.113.52894 > 224.0.0.252.5355: UDP, length 29
09:40:56.570684 IP 192.168.1.113.50027 > 224.0.0.252.5355: UDP, length 29
09:40:56.670095 IP 192.168.1.113.50027 > 224.0.0.252.5355: UDP, length 29
09:40:56.698833 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:56.780924 ARP, Request who-has 192.168.1.1 tell 192.168.1.156, length 46
09:40:56.789275 IP 192.168.1.156.138 > 192.168.1.255.138: UDP, length 225
09:40:56.877200 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:56.940162 IP 192.168.109.52 > 192.168.1.1: ICMP echo request, id 2, seq 2652, length 64
09:40:56.940457 ARP, Request who-has 192.168.1.2 tell 192.168.1.19, length 28
09:40:56.941156 ARP, Request who-has 192.168.1.4 tell 192.168.1.19, length 28
09:40:56.941554 IP 192.168.109.52 > 192.168.1.10: ICMP echo request, id 2, seq 2655, length 64
09:40:56.941902 IP 192.168.109.52 > 192.168.1.6: ICMP echo request, id 2, seq 2656, length 64
09:40:56.942104 IP 192.168.109.52 > 192.168.1.5: ICMP echo request, id 2, seq 2657, length 64
09:40:56.942400 ARP, Request who-has 192.168.1.3 tell 192.168.1.19, length 28
09:40:56.942598 IP 192.168.109.52 > 192.168.1.8: ICMP echo request, id 2, seq 2658, length 64
09:40:56.942680 IP 192.168.109.52 > 192.168.1.7: ICMP echo request, id 2, seq 2660, length 64
09:40:56.942693 IP 192.168.109.52 > 192.168.1.9: ICMP echo request, id 2, seq 2661, length 64
09:40:57.007051 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
09:40:57.182909 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58661, length 64
09:40:57.757090 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
09:40:57.759584 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:57.937980 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:58.183978 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58662, length 64
09:40:58.820399 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:58.941199 IP 192.168.109.52 > 192.168.1.11: ICMP echo request, id 2, seq 2662, length 64
09:40:58.941324 ARP, Request who-has 192.168.1.1 tell 192.168.1.11, length 46
09:40:58.960078 ARP, Request who-has 192.168.1.12 tell 192.168.1.19, length 28
09:40:58.980185 ARP, Request who-has 192.168.1.13 tell 192.168.1.19, length 28
09:40:58.998780 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:40:59.000548 ARP, Request who-has 192.168.1.14 tell 192.168.1.19, length 28
09:40:59.020067 ARP, Request who-has 192.168.1.15 tell 192.168.1.19, length 28
09:40:59.040061 ARP, Request who-has 192.168.1.16 tell 192.168.1.19, length 28
09:40:59.060063 ARP, Request who-has 192.168.1.17 tell 192.168.1.19, length 28
09:40:59.080059 IP 192.168.109.52 > 192.168.1.18: ICMP echo request, id 2, seq 2669, length 64
09:40:59.120059 IP 192.168.109.52 > 192.168.1.20: ICMP echo request, id 2, seq 2673, length 64
09:40:59.184951 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58663, length 64
09:40:59.201736 IP 192.168.1.113.68 > 255.255.255.255.67: UDP, length 300
09:40:59.881184 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:41:00.059519 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
09:41:00.185979 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58664, length 64
09:41:00.939475 IP 192.168.109.52 > 192.168.1.11: ICMP echo request, id 2, seq 2674, length 64
09:41:00.940450 ARP, Request who-has 192.168.1.15 tell 192.168.1.19, length 28
09:41:00.940847 ARP, Request who-has 192.168.1.13 tell 192.168.1.19, length 28
09:41:00.941060 IP 192.168.109.52 > 192.168.1.20: ICMP echo request, id 2, seq 2677, length 64
09:41:00.941140 ARP, Request who-has 192.168.1.14 tell 192.168.1.19, length 28
09:41:00.941251 ARP, Request who-has 192.168.1.12 tell 192.168.1.19, length 28Please advise what to do
UPDATE: Server Site : openvpn[17920]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
-
From SITEA i can ping 192.168.109.x whole series via Pfsense console - No issue
From SITEB i can ping only 192.168.1.19 and One more IP which is an Access Point
Rest all of the network is unreachable.The Cisco at site A will have to know the route to site B, via the pfSense site A LAN IP. Devices in site A will have the Cisco as default gateway. When a device in site A sends a packet to site B, it goes first to Cisco, the Cisco has to direct it to pfSense site A LAN IP, then pfSense sends it over the tunnel.
Packets from B to A work, because pfSense at site A can deliver the traffic direct to a site A device - no Cisco in the path.
After adding a route on the Cisco, you will still have asymmetric routes. The Cisco will only see traffic in 1 direction. If the Cisco is being a stateful firewall, then it might drop those packets. You will see soon enough.
In this configuration, pfSense site A should be OK - it will see packets in both directions so it should be able to maintain its firewall state table. -
Dear Phil
thanks for the solution
I will check again and will revert back soon
-
Dear phil
Please advise if this is correct
SITEA
Cisco Router is 192.168.1.1
Openvpn Server is 192.168.1.19I should add route to cisco: ip route 192.168.109.0 255.255.255.0 192.168.1.19
thanks
-
Dear phil
Why I am able to ping only one device that is a AP on SiteA from SiteB.
-
Dear phil
Please advise if this is correct
SITEA
Cisco Router is 192.168.1.1
Openvpn Server is 192.168.1.19I should add route to cisco: ip route 192.168.109.0 255.255.255.0 192.168.1.19
thanks
Sorry, been offline from the forum a few days - yes, the route information is correct. You know the exact correct Cisco format.
-
Dear phil
Why I am able to ping only one device that is a AP on SiteA from SiteB.
If the AP has its default route set to SiteA pfSense LAN IP 192.168.1.19 then the reply would work by default.
After adding the route to the Cisco (previous post), then you should be able to ping lots of thinngs in SiteA from SiteB.
Post what you have done so far, what pings work and what pings do not work. -
Thanks phill
Adding the route as per your suggestion worked perfectly
Thanks again