PfSense VPN router behind a Tomato router
-
Quick summery of what im trying to accomplish
Im testing a Netgate pfSense router at home and wish to connect it behind my Shibby Tomato router as not to disrupt my normal home network set up. The VPN will be connected to my corporate location. I have configured the tunnel and have it working if the pfSense router is the gateway. The issue I have now is when I put the pfSense router behind my home tomato router, the VPN on both ends shows connected but I cannot ping the corporate network from the workstation at home I have connected to the pfSense router likewise from corporate to the pfSense subnet.Overview of network
Motorola DOCSIS 3.0 Modem (192.168.100.1)Router 1 "Gateway" (192.168.0.1)
Shibby Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB Big-VPN
Static Route to pfSense router
Destination Gateway / Next Hop Subnet Mask Metric Interface
10.0.9.0 192.168.0.4 255.255.255.0 0 br0 (LAN)
I have also put 192.168.0.4 in a DMZ in hope to open op all ports to the pfSense router
NAT is set to ALL > MASQUERADE
DHCP for the 192.168.0.0 network and DNS is handled by my Windows server for the devices in my home.Router 2 "pfSense" (LAN 10.0.9.254)
WAN IP 192.168.0.4
DHCP scope 10.0.9.10 - 10.0.9.245
1 Workstation connected to the LAN (10.0.9.11)
VPN to corporate shows a connection in pfSense on both ends but can not assess or ping either way
Corporate is fine as it the other locations currently have a working VPN and I connect fine when the pfSense router is the gateway.
Firewall has been opened to allow ANY connection on the WANI can ping from the 192.168.0.0 network to the 10.0.9.0 network
I can ping from the 10.0.9.0 network to the 192.168.0.0 network
I CAN NOT ping from the 10.0.9.0 network to the 10.0.1.0 network (corporate)netstat -rn from the pfSense router
Routing tablesInternet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGS 0 347005 re1
10.0.9.0/24 link#3 U 0 800027 re2
10.0.9.254 link#3 UHS 0 0 lo0
127.0.0.1 link#14 UH 0 36 lo0
173.XXX.64.XXX 192.168.0.1 UGHS 0 5273 re1
192.168.0.0/24 link#2 U 0 19842 re1
192.168.0.4 link#2 UHS 0 0 lo0Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
fe80::%re0/64 link#1 U re0
fe80::20d:b9ff:fe33:8758%re0 link#1 UHS lo0
fe80::%re1/64 link#2 U re1
fe80::9644:52ff:fea6:e6f3%re1 link#2 UHS lo0
fe80::%re2/64 link#3 U re2
fe80::20d:b9ff:fe33:875a%re2 link#3 UHS lo0
fe80::%lo0/64 link#14 U lo0
fe80::1%lo0 link#14 UHS lo0
ff01::%re0/32 fe80::20d:b9ff:fe33:8758%re0 U re0
ff01::%re1/32 fe80::9644:52ff:fea6:e6f3%re1 U re1
ff01::%re2/32 fe80::20d:b9ff:fe33:875a%re2 U re2
ff01::%lo0/32 ::1 U lo0
ff02::%re0/32 fe80::20d:b9ff:fe33:8758%re0 U re0
ff02::%re1/32 fe80::9644:52ff:fea6:e6f3%re1 U re1
ff02::%re2/32 fe80::20d:b9ff:fe33:875a%re2 U re2
ff02::%lo0/32 ::1 U lo0netstat -rn from the Tomato router
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
67.xxx.252.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 vlan2
10.0.9.0 192.168.0.4 255.255.255.0 UG 0 0 0 br0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
67.xxx.252.xxx 0.0.0.0 255.255.252.0 U 0 0 0 vlan2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 67.xxx.252.xxx 0.0.0.0 UG 0 0 0 vlan2VPN is IPsec and as I said the testing pfSense router and the Corporate pfsense router show the VPN tunnel is connnected
So now im suck. I thought the static route would allow packets through to the pfSense router but no luck. Im thinking its a NAT issue but im not sure. Any help would be appreciated. Thanks.
-
I am having a similar problem, however my IPSec tunnel shows up on the "remote/host" pfSense box, but not on the "local/client". On the client, I am behind a Cisco DPC3825 so I can't take it out of the loop and make the pfSense box the 1st smart device on the network.
Even when the remote shows the tunnel up, I do not see a route to my local network in the routing table. The local network does not have a route to the host. I know the local network tries to use the tunnel because when I do a traceroute to the remote network it hits the firewall and then gets * * *. When I disable the tunnel the traceroute goes out the front door.
In the client log, I see bi-directional communication with the host on ports 500 and 4500. There are no errors, but no traffic.
-
It looks like it is working now; had to turn off NAT on the IPSec interface because of the double NATting. Failed to mention that client is running 2.2-Alpha an host is 2.1.4. 2.2 has a V1 or V2 option for IKE. I was using V2 it needs to be V1. Also, the IPSec widget on 2.2 does not report the tunnel up, when it is. Even when the tunnels are up neither end shows a route in the routing table.