How to reach another network from my OpenVPN connection
-
Hi!
I have a LAN on a remote location: 192.168.30.0/24
On the same network I've installed XenServer and an additional (virtual, inside XenServer) pfsense with two subnets. So for this second pfsense:
WAN: 192.168.30.105
LAN: 192.168.40.0/24 (dhcp-enabled)
OPT: 192.168.50.0/24 (dhcp-enabled)My OpenVPN can connect to both pfSenses at 192.168.30.1 and 192.168.30.105 and reach both web-ui:s
Now, I want to reach a specific host: 192.168.50.100 (a web page, port 80)
I found the route command on my windows PC.
I added a route similiar to the OpenVPN interface I have, so the entries look like:192.168.30.0 255.255.255.0 10.0.8.1 10.0.8.2 20 192.168.40.0 255.255.255.0 10.0.8.1 10.0.8.2 40 192.168.50.0 255.255.255.0 10.0.8.1 10.0.8.2 40
(I'm not sure about the metric command "40". I typed 20 but my pc set it to 40 anyway)
But I can't reach any of the 192.168.40 or 50 networks.
Neither can pfsense at 192.168.30.1 (tried pinging) - so I'm thinking I need to add two routes here as well.
My guess is System - Routing - Static routes.And enter the 2 networks 192.168.40/24 and 192.168.50.0/24 with 192.168.30.105 as gateway.
However the help page is warning me (https://doc.pfsense.org/index.php/Static_Routes):
Routes do not need to be added for networks which are directly connected to any interface of the firewall, and doing so may cause problems.
Never add static routes for networks reachable via OpenVPN
I guess this doesn't apply in this case. But I'm worried I'll mess something up. I really don't want my vpn to go down.
Am I on the right track?
Can I add the 2 routes in pfsense and it will start working, and without breaking anything? (I think I also have to do a port forward of port 80 on my virtual pfsense at 192.168.30.105) -
The routes for your networks are already set by OpenVPN. There are no more routes necessary to access your LAN hosts.
Are there firewall rules in place on OpenVPN tab, which allow access to your networks?
And, I don't know if this is the cause, but why have you set the check at Topology in server config?? If you have no particular reason, uncheck it.
-
The routes for your networks are already set by OpenVPN. There are no more routes necessary to access your LAN hosts.
Are there firewall rules in place on OpenVPN tab, which allow access to your networks?
And, I don't know if this is the cause, but why have you set the check at Topology in server config?? If you have no particular reason, uncheck it.
Thank you viragomann for your reply.
I think I might have been a bit undescriptive. I can't write nice network maps as some people. It does't come out good whenever I try :/
I can reach the LAN fine on my VPN-connection. I want to reach another network.
I have 3 routers on the physical network.
Random router I can not get rid of: 192.168.1.1
pfsense#1: 192.168.1.2(DMZ:d) with 2 subnets: 192.168.20.0/24 and 192.168.30.0/24 (this physical machine has 3 NICs)
OpenVPN goes against 192.168.30.0/24 - and accessing hosts on this network works fine. Including pfsense#2Then I have pfsense#2 at 192.168.30.105 with 2 additional subnets: 192.168.40.0/24 and 192.168.50.0/24 (this physical machine only has 1 NIC. This is my XenServer. pfSense#2 is virtual, as is its subnets).
All of the subnets have internet access.
Now I want to reach a web site on 192.168.50.100 over my VPN, from my vpnIP 10.0.8.2
I went ahead an added a route on my local PC:
route ADD 192.168.50.0 MASK 255.255.255.0 10.0.8.1 METRIC 20 IF 14
Then I added a gateway on pfsense#1 with IP 192.168.30.105 with interface OPT1
Then I added a static route:
Network Gateway Interface Description Actions 192.168.50.0/24 virtualpfSense_50 - 192.168.30.105 OPT1 route to 192.168.50.0
Now I think I kind of reached my destination. I could see my attempt to reach desired host was blocked by the firewall on pfsense#2 in my firewall system log
So I added a rule from the firewall by choosing "Easy rule. Pass this traffic".I think the traffic is passed. I can see trying to access port 8080 on the host being blocked, but not 80.
I'm still stuck though, because my browswer still tells me:
This site can’t be reached
The connection was reset.
Also tried to port forward 80. No luck
WAN TCP * * WAN address 80 (HTTP) 192.168.50.100 80 (HTTP)
EDIT:
Found a packet capture utilityunder diagnostics (very cool!)
Downloaded to and exported from wireshark:1 0.000000 10.0.8.2 192.168.50.100 TCP 66 52185→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1 2 0.000206 192.168.50.100 10.0.8.2 TCP 66 80→52185 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 3 0.001687 10.0.8.2 192.168.50.100 TCP 66 52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1 4 0.001747 192.168.50.100 10.0.8.2 TCP 66 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 5 0.032244 10.0.8.2 192.168.50.100 TCP 60 52185→80 [ACK] Seq=1 Ack=1 Win=66048 Len=0 6 0.038007 10.0.8.2 192.168.50.100 HTTP 479 GET / HTTP/1.1 7 0.038069 192.168.50.100 10.0.8.2 TCP 54 80→52185 [ACK] Seq=1 Ack=426 Win=65856 Len=0 8 0.042431 192.168.50.100 10.0.8.2 HTTP 339 HTTP/1.1 302 FOUND (text/html) (text/html) 9 0.339956 10.0.8.2 192.168.50.100 HTTP 479 [TCP Retransmission] GET / HTTP/1.1 10 0.340037 192.168.50.100 10.0.8.2 TCP 54 [TCP Dup ACK 7#1] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0 11 0.937677 10.0.8.2 192.168.50.100 HTTP 479 [TCP Retransmission] GET / HTTP/1.1 12 0.937750 192.168.50.100 10.0.8.2 TCP 54 [TCP Dup ACK 7#2] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0 13 2.137039 10.0.8.2 192.168.50.100 HTTP 479 [TCP Retransmission] GET / HTTP/1.1 14 2.137121 192.168.50.100 10.0.8.2 TCP 54 [TCP Dup ACK 7#3] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0 15 3.000946 10.0.8.2 192.168.50.100 TCP 66 [TCP Spurious Retransmission] 52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1 16 3.001026 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 17 3.055443 192.168.50.100 10.0.8.2 HTTP 339 [TCP Retransmission] HTTP/1.1 302 FOUND (text/html) (text/html) 18 4.540066 10.0.8.2 192.168.50.100 HTTP 479 [TCP Retransmission] GET / HTTP/1.1 19 4.540147 192.168.50.100 10.0.8.2 TCP 54 [TCP Dup ACK 7#4] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0 20 6.034321 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 21 9.001611 10.0.8.2 192.168.50.100 TCP 62 [TCP Spurious Retransmission] 52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 SACK_PERM=1 22 9.001692 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 23 9.272365 192.168.50.100 10.0.8.2 HTTP 339 [TCP Retransmission] HTTP/1.1 302 FOUND (text/html) (text/html) 24 9.340771 10.0.8.2 192.168.50.100 HTTP 479 [TCP Retransmission] GET / HTTP/1.1 25 9.340838 192.168.50.100 10.0.8.2 TCP 54 [TCP Dup ACK 7#5] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0 26 12.047404 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 27 15.047443 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 28 18.074502 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 29 18.934130 10.0.8.2 192.168.50.100 TCP 60 52185→80 [RST, ACK] Seq=426 Ack=1 Win=0 Len=0
Does this tell anyone anything?
-
I went ahead an added a route on my local PC:
route ADD 192.168.50.0 MASK 255.255.255.0 10.0.8.1 METRIC 20 IF 14
The correct way is to add the subnet you want to reach over vpn in the vpn server setting at "IPv4 Locale Network/s". So it will be pushed to the client, when vpn connection is established.
EDIT:
Found a packet capture utilityunder diagnostics (very cool!)
Downloaded to and exported from wireshark:1 0.000000 10.0.8.2 192.168.50.100 TCP 66 52185→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1 2 0.000206 192.168.50.100 10.0.8.2 TCP 66 80→52185 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 3 0.001687 10.0.8.2 192.168.50.100 TCP 66 52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1 4 0.001747 192.168.50.100 10.0.8.2 TCP 66 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 5 0.032244 10.0.8.2 192.168.50.100 TCP 60 52185→80 [ACK] Seq=1 Ack=1 Win=66048 Len=0 6 0.038007 10.0.8.2 192.168.50.100 HTTP 479 GET / HTTP/1.1 7 0.038069 192.168.50.100 10.0.8.2 TCP 54 80→52185 [ACK] Seq=1 Ack=426 Win=65856 Len=0 8 0.042431 192.168.50.100 10.0.8.2 HTTP 339 HTTP/1.1 302 FOUND (text/html) (text/html) 9 0.339956 10.0.8.2 192.168.50.100 HTTP 479 [TCP Retransmission] GET / HTTP/1.1 10 0.340037 192.168.50.100 10.0.8.2 TCP 54 [TCP Dup ACK 7#1] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0 11 0.937677 10.0.8.2 192.168.50.100 HTTP 479 [TCP Retransmission] GET / HTTP/1.1 12 0.937750 192.168.50.100 10.0.8.2 TCP 54 [TCP Dup ACK 7#2] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0 13 2.137039 10.0.8.2 192.168.50.100 HTTP 479 [TCP Retransmission] GET / HTTP/1.1 14 2.137121 192.168.50.100 10.0.8.2 TCP 54 [TCP Dup ACK 7#3] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0 15 3.000946 10.0.8.2 192.168.50.100 TCP 66 [TCP Spurious Retransmission] 52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 WS=256 SACK_PERM=1 16 3.001026 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 17 3.055443 192.168.50.100 10.0.8.2 HTTP 339 [TCP Retransmission] HTTP/1.1 302 FOUND (text/html) (text/html) 18 4.540066 10.0.8.2 192.168.50.100 HTTP 479 [TCP Retransmission] GET / HTTP/1.1 19 4.540147 192.168.50.100 10.0.8.2 TCP 54 [TCP Dup ACK 7#4] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0 20 6.034321 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 21 9.001611 10.0.8.2 192.168.50.100 TCP 62 [TCP Spurious Retransmission] 52186→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1353 SACK_PERM=1 22 9.001692 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 23 9.272365 192.168.50.100 10.0.8.2 HTTP 339 [TCP Retransmission] HTTP/1.1 302 FOUND (text/html) (text/html) 24 9.340771 10.0.8.2 192.168.50.100 HTTP 479 [TCP Retransmission] GET / HTTP/1.1 25 9.340838 192.168.50.100 10.0.8.2 TCP 54 [TCP Dup ACK 7#5] 80→52185 [ACK] Seq=286 Ack=426 Win=66240 Len=0 26 12.047404 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 27 15.047443 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 28 18.074502 192.168.50.100 10.0.8.2 TCP 66 [TCP Retransmission] 80→52186 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1353 WS=64 SACK_PERM=1 29 18.934130 10.0.8.2 192.168.50.100 TCP 60 52185→80 [RST, ACK] Seq=426 Ack=1 Win=0 Len=0
Does this tell anyone anything?
On which interface is this taken? At pfSense2 take a packet capture on WAN interface.
pfSense 1 is the upstream gateway on pfSense 2 or is there another way to the internet?
-
On which interface is this taken? At pfSense2 take a packet capture on WAN interface.
pfSense 1 is the upstream gateway on pfSense 2 or is there another way to the internet?
This is from pfsense2 (192.168.30.105) on WAN interface with filter for host address: 192.168.50.100
I think pfsense is upstream gateway of pfsense2 yes. I'm not familiar with the term
Basically it goes:
Internet -> Router#1 ->(DMZ)pfSense#1 -> pfSense#2
EDIT: Corrected wrongly typed IP for pfsense#2
-
On which interface is this taken? At pfSense2 take a packet capture on WAN interface.
pfSense 1 is the upstream gateway on pfSense 2 or is there another way to the internet?
This is from pfsense2 (192.168.30.105) on WAN interface with filter for host address: 192.168.50.100
I think pfsense is upstream gateway of pfsense2 yes. I'm not familiar with the term
So you should also see this if you take a packet capture at pfSense 1 on DMZ and OpenVPN, right?
-
On which interface is this taken? At pfSense2 take a packet capture on WAN interface.
pfSense 1 is the upstream gateway on pfSense 2 or is there another way to the internet?
This is from pfsense2 (192.168.30.105) on WAN interface with filter for host address: 192.168.50.100
I think pfsense is upstream gateway of pfsense2 yes. I'm not familiar with the term
So you should also see this if you take a packet capture at pfSense 1 on DMZ and OpenVPN, right?
Yes I should. The capture is from the WAN-side of pfSense2
It has interfaces:
WAN manual 192.168.30.105 LAN manual 192.168.40.1 OPT1 manual 192.168.50.1
And pfsense1 looks like:
WAN 1000baseT <full-duplex>192.168.1.2 LAN 100baseTX <full-duplex>192.168.20.1 OPT1 1000baseT <full-duplex,flowcontrol,rxpause,txpause>192.168.30.1</full-duplex,flowcontrol,rxpause,txpause></full-duplex></full-duplex>
EDIT:
Packet capture looks exactly the same when running on pfSense#1 (192.168.30.1) for OpenVPN interfaceEDIT#2:
I'm starting to believe it is either a pfSense2 issue, or a XenServer issue.
In XenServer I've simply created 2 VLANs, 1 and 2.
My previous statement that the VMs under pfsense2 have internet access only seems to be half truth.
Pinging works fine. I get decent latency I think ~10ms to hosts in my country, ~150ms for pfsense.org with no package loss.Tried accessing a host over ssh. I can see in the host's auth.log that I'm trying to connect. Then my ssh-client on my PC just disconnects. Something about a socket, afraid I can't remember the exact message
However when I tried a wget, it got stuck on waiting for HTTP response. I had to cancel it.
Tried a netinstall of debian - it took forever. Eventually it said it could not reach the mirror.Went ahead and did a netinstall on the same network as the XenServer host (pfSense1) - no issues at all. wget works fine, getting 27MB/s.
Guess I'll have to search around for XenServer VLAN performance a bit…
EDIT#3:
Well this looks like it!
https://forum.pfsense.org/index.php?topic=85797.0I'll give it a try next time i can.