[SOLVED] PFSense 2.2.4 + OpenVPN 2.3.8: Can not create OpenVPN connection
-
Hi Johnpoz,
I am getting really good information from you. Yes, to be honest, I was completely unaware of RFC1918 and about any regulation of what private address space should I use. I have many times wondered, why internal IP address spaces usually start with 172.16.x.x or 192.168.x.x, and why administrators are not a bit more creative. Now I understand.
So to move next step further, I would then go with: 172.20.20/23
This should be in accordance to what you and others told me. So I hope it will pass even your judgement. :-) However, if there is anything wrong with my slection, please, do not hesitate to tell me. :-) Thank you.
-
That would be fine - I personally think /23 is fairly large.. Do you have that many devices?
Keep in mind while 172.20.20/23 is valid private network 172.20.19/23 would not be since it doesn't fall on the border - that would be host in the 172.20.18/23 network.
It would behoove you to do a bit of reading on networking - if you have any questions on subnets, etc. PM me be happy to help.
/24 or 255.255.255.0 is very good border because it is human friendly to read very quickly what the network is and what the host when you get something like your 172.20.20.0 while that is a network 172.20.21.0 is a host if your mask is /23 and 172.20.20.255 is also a valid address with a /23 mask but would be broadcast address if /24
-
Hi Johnpoz,
thank you for this valuable information. To answer your question if I have so many devices, then no I don't. However, the reason why I have decided for /23 subnet mask bits is that I will have almost all the computers connected to this LAN to use Intel AMT. Intel AMT technology allows me to connect to all of them via KVM on hardware level. This is important because the LAN will be over 300 KM distant from me and I need to have good KVM connection.
Regarding the reserved address space, I plan the following:
-
The computers and other devices will use the range: 172.20.20.1 - 172.20.20.254
-
Intel AMT KVM IP addresses will use the range: 172.20.21.1 - 172.20.21.254
-
Device IP Address and its KVM IP Address will have identical last octets from their IP Addresses
An Example:
A server on this network will have its IP Address 172.20.20.1, while Intel AMT KVM IP Address to this device will be: 172.20.21.1.
This is my solution to having access to the devices transparent and easy to use. At this moment, it is for me hard to say, whether this transparency level overweights my /23 address space, but after evaluating what you've just told me, I think I will not do too much harm keeping this kind of address space. I would be happy to hear, what you think. Thank you.
Kind regards,
-
-
Why would you not put the KVM IP space on its own segment? so you have 172.20.20.0/24 for you devices and 172.20.21.0/24 for your KVM IPs
No it becomes very easy to control access into this KVM segment.
-
To answer the question why, well just for transparency reasons. Yes you are correct, I have 172.20.20.0/24 for my devices and 172.20.21.0/24 for your KVM IPs.
In other words, if I know that a device has IP Address: 172.20.20.10, then its KVM must be 172.20.21.10. I do not need any further table, and know the KVM address out of my head.
-
Well if you have 2 /24 why are you thinking you need to use a /23??
-
Well if you have 2 /24 why are you thinking you need to use a /23??
Well with my limited knowledge I think that I establish VPN network from my remote network to the target network. It means I have to define my destination network into when configuring OpenVPN.
If I enter 172.20.20.0/24 as my destination network (IPv4 Local Network in OpenVPN Tunnel Settings) I will be able to reach the devices but not their KVM IP addresses accessed through 172.20.21.0/24.
If I enter 172.20.21.0/24 as my destination network (IPv4 Local Network in OpenVPN Tunnel Settings) I will be able to reach KVMs but not the devices themselves accessed through 172.20.20.0/24.Maybe that is completely incorrect, but it is how I see it now. Entering 172.20.20.0/23 will allow me to access both, the devices and their KVMs.
-
2 /24 networks is a better solution. What would you do if you wanted to allow someone access to the desktop network but not the kvm network?
You can add additional network routes in the openvpn additional options section. -
Hi Thermo,
thank you very much for your comment. Knowing how to access two networks will definitely be good think to know, and yes, as you said, 2 /24 networks may be a better solution. I will take a look at this. Thank you.
-
so you put in multiple networks as your local, or just route /23 even though you have /24 you could just route 172.16/12 if you wanted too..
-
Hi Johnpoz, Thermo,
I have redone that, as you recommended. As part of my learning process it was great exercise:
-
IPv4 Tunnel NEtwork: 192.168.188.0/24
-
IPv4 Local Networks: 192.168.168.0/24, 192.168.169.0/24
That is correct, that I will have a bit more flexibility now to grant access to only one network if needed. Thank you.
-
