Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Networks routed from a pfSense box not accesible from an OpenVPN site (P2P PKI)

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      josemaX
      last edited by

      Hello all

      First, sorry by my poor english.

      I'm having a problem i'm unable to resolve and hope someone can help me.

      I have a place with a pfSense box that routes other 2 networks, one with other pfSense and other(s) with a Cisco Router suplied by the ISP.

      I have a remote site connected with OpenVPN Peer to Peer (SSL/TLS) working "well". I mean well because i can access the LAN's Networks from a site o the other one (and viceversa), but from the remote site (pfSense3) LAN I can't access the Networks provided by the Cisco or the 172.16.10.0/26 provided by pfSense 2 (see the attached image).

      That Networks are accesible from the pfSense LAN Network. They are also accesible from OpenVPN Roadwarrior users. Even are accesible from pfSense3 (from the shell inside in), but not from it's LAN Network.

      I've spent several days trying everything i know, The routes are pushed from the pfSense1 to pfSense3. I've reviewed again and again the rules, everything passes.

      I suppose i'm missing something in this, but don't know what.

      This is the routing table in the pfSense3 box:

      Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.153.1      UGS         0     5922 pppoe0
google-public-dns- 192.168.153.1      UGHS        0    30451 pppoe0
10.0.10.1/32       10.0.10.5          UGS         0        0 ovpnc1
10.0.10.5          link#8             UH          0        0 ovpnc1
10.0.10.6          link#8             UHS         0        0    lo0
10.2.6.0           10.0.10.5          UGS         0        0 ovpnc1
10.2.31.0          10.0.10.5          UGS         0        0 ovpnc1
10.31.10.0         10.0.10.5          UGS         0        0 ovpnc1
10.31.112.0        10.0.10.5          UGS         0        0 ovpnc1
10.31.253.0        10.0.10.5          UGS         0        0 ovpnc1
10.32.253.0        10.0.10.5          UGS         0        0 ovpnc1
10.252.130.0       10.0.10.5          UGS         0        0 ovpnc1
10.252.144.0       10.0.10.5          UGS         0        0 ovpnc1
10.252.252.0       10.0.10.5          UGS         0        0 ovpnc1
10.253.1.192/32    10.0.10.5          UGS         0        0 ovpnc1
10.253.252.0       10.0.10.5          UGS         0        0 ovpnc1
PUBLIC-DSL-IP-94.d link#9             UHS         0        0    lo0
localhost          link#4             UH          0       97    lo0
172.16.0.0/21      10.0.10.5          UGS         0        7 ovpnc1
172.16.10.0/26     10.0.10.5          UGS         0        0 ovpnc1
172.16.20.0/26     link#1             U           0       48    vr0
pfsense3           link#1             UHS         0        0    lo0
192.168.153.1      link#9             UH          0        0 pppoe0

      The 10.2., 10.31, 10.32 10.252 and 10.253 are the Networks provided by the Cisco and 172.16.10.10/26 the one provided by pfSense2.

      Do you know what my problem is? I'm not posting configurations to keep this short. If you need something, please ask me.

      Thanks

      Best

      ![OpenVPN Routing.png](/public/imported_attachments/1/OpenVPN Routing.png)
      ![OpenVPN Routing.png_thumb](/public/imported_attachments/1/OpenVPN Routing.png_thumb)

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        Need to clarify some info:

        • Your diagram shows "OpenVPN Tunnel Network: 10.0.10.0/24" and "Subnet to pfSense3: 10.0.10.8/30".  Please clarify what you meant because those networks overlap.

        • When you say "I have a remote site connected with OpenVPN Peer to Peer (SSL/TLS) working" you never specified what was connected. I can only assume from your diagram that you meant PFsense 1 and PFsense 3 are connected and that each side can communicate with the other side's LAN, but please verify my assumption is correct.

        • On PFsense 2, is there a typo or is 172.16.10.1/26 really a WAN interface? Why isn't it a LAN interface?  I would imagine 172.16.20.0/26 cannot communicate with 172.16.10.0/26 because there is no return route back to 172.16.20.0/26 on PFsense 2.  Although, I'm not even sure that's possible because it's a WAN interface and being NAT'd… someone else chime in if they know for sure

        • you need a return route to 172.16.20.0/26 on the cisco.

        • Post your server1.conf from PFsense 1 and client1.conf from PFsense 3.

        1 Reply Last reply Reply Quote 0
        • J
          josemaX
          last edited by

          @marvosa:

          Need to clarify some info:

          • Your diagram shows "OpenVPN Tunnel Network: 10.0.10.0/24" and "Subnet to pfSense3: 10.0.10.8/30".  Please clarify what you meant because those networks overlap.
          • When you say "I have a remote site connected with OpenVPN Peer to Peer (SSL/TLS) working" you never specified what was connected. I can only assume from your diagram that you meant PFsense 1 and PFsense 3 are connected and that each side can communicate with the other side's LAN, but please verify my assumption is correct.
          • On PFsense 2, is there a typo or is 172.16.10.1/26 really a WAN interface? Why isn't it a LAN interface?  I would imagine 172.16.20.0/26 cannot communicate with 172.16.10.0/26 because there is no return route back to 172.16.20.0/26 on PFsense 2.  Although, I'm not even sure that's possible because it's a WAN interface and being NAT'd… someone else chime in if they know for sure
          • you need a return route to 172.16.20.0/26 on the cisco.

          Remember

          • Post your server1.conf from PFsense 1 and client1.conf from PFsense 3.

          pfSense1 Site2Site (PKI)

          dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local TRIMMED-PUBLIC-IP
tls-server
server 10.0.10.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.10.1 10.0.10.2
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1195
management /var/etc/openvpn/server2.sock unix
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0

route 172.16.20.0 255.255.255.192

route 172.16.20.64 255.255.255.192

route 192.168.0.0 255.255.255.0

push "route 172.16.0.0 255.255.248.0"

push "route 172.16.10.0 255.255.255.192"

push "route 10.2.6.0 255.255.255.0"

push "route 10.2.31.0 255.255.255.0"

push "route 10.31.10.0 255.255.255.0"

push "route 10.31.112.0 255.255.255.0"

push "route 10.31.253.0 255.255.255.0"

push "route 10.32.253.0 255.255.255.0"

push "route 10.252.130.0 255.255.255.0"

push "route 10.252.144.0 255.255.255.0"

push "route 10.252.252.0 255.255.255.0"

push "route 10.253.1.192 255.255.255.255"

push "route 10.253.252.0 255.255.255.0"

          pfSense3 (Client)

          dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local TRIMMED-PUBLIC-IP
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote TRIMMED-REMOTE-IP 1195
ifconfig 10.0.10.2 10.0.10.1
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
tls-auth /var/etc/openvpn/client1.tls-auth 1

          Also here is the CSO (-csc) file for that client

          ifconfig-push 10.0.10.10 10.0.10.9
iroute 172.16.20.0 255.255.255.192

          USING Site2Site

          12:00:41.556303 IP 192.168.0.47.38007 > 10.31.10.89.33438: UDP, length 24
12:00:41.628250 IP 192.168.0.47.38007 > 10.31.10.89.33439: UDP, length 24
12:00:41.699052 IP 192.168.0.47.38007 > 10.31.10.89.33440: UDP, length 24
12:00:41.770609 IP 192.168.0.47.38007 > 10.31.10.89.33441: UDP, length 24

          12:01:55.579807 IP 192.168.0.47.38022 > 10.31.10.89.33441: UDP, length 24
12:02:00.580990 IP 192.168.0.47.38022 > 10.31.10.89.33442: UDP, length 24
12:02:05.581638 IP 192.168.0.47.38022 > 10.31.10.89.33443: UDP, length 24
12:02:10.582314 IP 192.168.0.47.38022 > 10.31.10.89.33444: UDP, length 24

          USING RoadWarrior

          11:35:41.019829 IP 10.0.8.202.37905 > 10.31.10.89.33435: UDP, length 24
11:35:41.182282 IP 10.0.8.202.37905 > 10.31.10.89.33436: UDP, length 24
11:35:41.253157 IP 10.0.8.202.37905 > 10.31.10.89.33437: UDP, length 24
11:35:41.324107 IP 10.0.8.202.37905 > 10.31.10.89.33438: UDP, length 24

          11:37:07.139149 IP 10.31.253.2.46027 > 10.31.10.89.33438: UDP, length 24
11:37:07.281083 IP 10.31.253.2.15414 > 10.31.10.89.33439: UDP, length 24
11:37:07.351882 IP 10.31.253.2.3381 > 10.31.10.89.33440: UDP, length 24
11:37:07.422730 IP 10.31.253.2.23474 > 10.31.10.89.33441: UDP, length 24
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.