[SOLVED] Pfsense-OpenVPN internal routing problem? [ BUG IN VPN/ROUTING SYS?]
-
Hi I am getting crazy with a site to site openvpn setup, and finally I decided to ask for advice to you before losing my mind.
I have a scenario like this:
Site A Site B
a–-----b-----c-------INET---------d------e--------fa- Site A LAN network host ip addresses
b- Site A Firewall Lan IP address (Default gw for Site A hosts).
c- Virtual OpenVPN Interface On Site A side from tunnel stablished to site B
d- Virtual OpenVPN Interface On Site B side from tunnel stablished to site A
e- Site B Firewall LAN IP address (Default gw on Site B hosts).
f- Site B Lan network host ip addressesSite B acts as client and Site A act as server.
Version of Pfsense on site A is 2.2.6 and Pfsense on Site B is 2.3Now tests:
from Site A Network (a) can ping to both virtual openvpn interfaces (c and d)
from Site B Netowrk (f) can ping to both virtual openvpn interfaces (d and c)
from Pfsense Virtual OpenVPN interface at site A (c) I can ping Site B Firewall LAN interface (d) and entire Site B LAN network (e and f).
from Pfsense Virtual OpenVPN interface at Site B (d) I can ping Site A Firewall LAN interface (b) and entire Site A LAN network (a and b)And the problem is I cant reach from Site A LAN the Site B LAN or reverse, It seems Pfsense is not working ok with routes, at firewall logs I did not see any packet blocked, openvpn interfaces hace allow any rules on both sides to simplify scenario.
¿Any idea?
-
So have you entered your LAN networks at "IPvX Local Network/s" and "IPvX Remote Network/s" at server and client config?
Remember that some PC firewalls like Windows firewall do not allow access (also ping) from remote networks by default. You will have to explicitly allow that access in the config or deactivate the firewall.
-
Try some other means of testing your remote clients, for example if one is a web server try accessing it via the internal IP rather than the domain name.
I have a similar issue on one of my lionks (still diagnosing) where I cant see a server on ping but I can access it.
M
-
Thx for your reply.
On Both sides are defined:
IPv4 Tunnel Network
IPv4 Local Network/s
IPV4 Remote Network/sAnt if you look for routes at each firewall routes for remote LAN network exists on each side, it must being used to reach remote LAN from OpenVPN tunnel Network interfaces, but if that route exists why can not ping from Local LAN firewall interface to Remote LAN firewall interface?
Test of tunnels can be done just using pings to and from pfsense interfaces so no problem with other firewalls or service just ping is enought to check connectivity, when I be able to real remote lan firewall if from local lan firewall if tunnel works, but that point have not been reached.
¿Any other ideas about why is a openvpn route is being used by pings from a virtual interface and not from local lan?
-
I found it!!!
I had an old IPSEC setup that connected the remote network from SITE B until now (actually does not work and it is disconnected).
But phase2 from ipsec appears to have priority over routing table, even if ipsec tunnel is not connected.
I disabled IPSEC tunnel and pings started to cross openvpn tunnel from local LAN to remote LAN and reverse without problems.
Now my doubt is … this is normal? is the best and spected way of work?If ipsec phase2 routes have priority, I think they must me shown at routing table to keep track on them and avoid this kind of problems.
Best regards
-
As far as I know the way IPSEC works it hijacks traffic before it ever hits the normal routing process AND the IPSEC "routes" that are called security associations never appear in the normal routing table either.
-
Yes, but at the web interface you can use standard routing table and add the ipsec security associations info to have all the routing related info in a single place [IMHO]…