Accessing a server with a GW on a different pfSense

viragomann

server2 sends its response packets to pfSense2, since this is the default gateway. Routing the packets from pfSense2 to pfSense1 will not work properly.

If you don't want to add a static route to each host which isn't using pfSense1 as its default gateway you can resolve your issue by doing NAT for this connections. To do so, you need an outbound NAT rule on pfSense1 to translate source address of vpn packets destined to server2 (and the others) to the interface address on LAN interface. So responses will be addressed to pfSense1 LAN IP.
However, this will have the disadvantage that each connection from a vpn client seems to come from pfSense1 at server2. So if you have more than one vpn client there is no way to determine the client at server2.

Hakim

Thanks for your answer.

Unfortunately, NAT will not be a solution for me.

I tried this setting on pfSense2 :

On pfSense2, I tried to add a Gateway on the LAN interface to the LAN interface of pfSense1,
and to add a route using this Gateway for routing the packets to the OpenVPN client, but it does not help.

I thought I can tell pfSense2 : whenever it receives some packet for my VPN network, to forward them to pfSense1 using my Lan Gateway.
Do you know why such a solution does not work ?

Thanks,
Hakim

heper

please draw a proper schematic that includes ip's & subnets

this seems fairly straightforward, you probably just need the correct routes on both pfsense's

Hakim

@heper:

please draw a proper schematic that includes ip's & subnets

WAN1                            WAN2
                            |                                  |
OpenVPN    /    pfSense1                      pfSense2 
(192.168.1.0/28)    (192.168.0.1)                    (192.168.0.2)
                            |                                  |
                server1 –--------------------------- server2 (192.168.0.22)
            (GW : pfSense1)              LAN              (GW : pfSense2)
                                    (192.168.0.0/254)

Is it OK ?

heper

Not really.  ;)

Ascii maps are a pain in the butt

So both sites run the  same subnet? You gonna need to change that. (or nat one end)

Hakim

@heper:

So both sites run the  same subnet?

Yes
@heper:

You gonna need to change that. (or nat one end)

It is not an option. This is the design of my network (which is a lot simplified in the exemple given above).

Does anyone could explain why the following solution does not work ?

• on pfSense2 : adding a Gateway :
      - Name : GW_LAN
      - Interface : LAN
      - Gateway : 192.168.0.1 (address of pfSense1 on the LAN)
• on pfSense2 : adding a Static route :
      - Destination network : 192.168.1.0/28 (OpenVPN)
      - Gateway : GW_LAN

Thanks,
Hakim
                        WAN1                            WAN2
                            |                                  |
OpenVPN    /    pfSense1                      pfSense2 
(192.168.1.0/28)    (192.168.0.1)                    (192.168.0.2)
                            |                                  |
                server1 –--------------------------- server2 (192.168.0.22)
            (GW : pfSense1)              LAN              (GW : pfSense2)
                                    (192.168.0.0/254)

heper

LAN1<– openvpn_site2site --> LAN2

a) LAN1&2 have identical subnets this means there are entries in the routing table on each site, for that subnet already
b) routing is not possible when both have the same subnets
c) using gateways does not solve this in any way because of a)

if you have no way to change either LAN1_subnet or LAN2_subnet then, in my humble opinion, the only way to hack your way around it is by using some form of NAT, the easiest would be a 1:1 NAT on each end.

Oh yea, you could probably also abandon routing altogether and bridge your vpn ..... performance will be "terrible" as you would be sending a bunch of broadcasts over a high-latency link.

enjoy :-)

Hakim

Thanks for your answser

@heper:

LAN1<– openvpn_site2site --> LAN2

This is not really how I see my network, and my issue, so I am not sure we are talking about the same thing.
On my single LAN, I have :

• pfSense1 (on which I connect through an OpenVPN)
• server1
• server2
• pfSense2  (on which I could also connect through another OpenVPN - but to keep things simple, I did not mention it)

@heper:

a) LAN1&2 have identical subnets this means there are entries in the routing table on each site, for that subnet already
b) routing is not possible when both have the same subnets
c) using gateways does not solve this in any way because of a)

This, I do not understand. My routing issue is about routing packets from server2 to the OpenVPN network.
What is working :
1/ on pfSense 1, I can see my packets "OpenVPN -> server2" (on the LAN interface)
2/ on pfSense 2, I can see my packets "server2 -> OpenVPN" (on the LAN Interface) (so I know the server2 receives the packets and is responding)
What is missing :
3/ on pfSense1, I do not see the packets  "server2 -> OpenVPN"
This is why I would like to find a way, so that when pfSense2 receives the packet for "OpenVPN" it forwards these packets to pfSense1 using the route I provide.

I have no problem about routing to my servers (server1 or server2), the only issue is about routing back on a different network (in my case - an OpenVPN connection, but it could have been as well another server on a different network, and I would have the same issue)

heper

your openvpn is a transit-network …. packets go THROUGH it instead of TO.

lets replace openvpn by  'road' & subnet by 'town". This road connects multiple towns.

a car enters the road at a T-shaped crossroad.
the driver wants to go to TOWN_A.
there is a roadsign that says TOWN_A GO LEFT & there is also a roadsign that says TOWN_A GO RIGHT.
the driver doesn't know where to go to get to TOWN_A

johnpoz

While I like the analogy.. Its a bit different, its not that there is 2 signs that say Town_A.. The problem is more like hey I am already in Town_A why should I take that road that says Town_A on it when I am already in Town_A..

The proper solution would be to renumber Town_B, so now driver says hey I want to Go to Town_B, and I am in Town_A - guess I go down this road…

Your other solution is to NAT it at pfsense..

I am still confused with your ascii art.. Can you not break out your crayons and a napkin and draw this?  But it seems that your saying you have another pfsense that is share a common lan segment?  While server 1 on this shared common lan 192.168.0/24 points to pfsense 1 192.168.0.1 as its gateway, and server 2 points to pfsense2 as its gateway on 192.168.0.2

So looks to me you have this - see attached.

So this vpn client gets a tunnel IP lets call it 10.0.100.42/24 when connected to pfsense1.  Now I would use a different tunnel on pfsense2 lets call it 10.0.200.0/24

So if you want to be able to access server 2 while your vpn'd into to pfsense 1, you need to create a route on server 2 that says hey when you want to talk to 10.0.100/24 talk to pfsense 1 192.168.0.1

You could then put a route on server 1 that points 10.0.200/24 to pfsense 2 192.168.0.2

What is the point of such a design to be honest?  Why don't you just use 1 pfsense box with 2 wan?  You could still even have 2 pfsense boxes and setup CARP so both wans can be accessed.

I really do not see the point of such a setup.. If I am understanding your setup that is..

I would not suggest trying to create a route on pfsense 2 point to the tunnel network 10.0.100/24 to pfsense 1 lan IP, since this for starters is a hairpin, and gong to lead to asynchronous routing..  For your setup to work you need to create host routes on the server you want to talk to that point to the correct pfsense for the tunnel network that your handing out to the vpn clients, or site to site vpn, etc.

But what I would really suggest is fix this so pfsense has both wans, I really do not see what you think your gaining by using 2 pfsense boxes?

Hakim

Thanks for your answers

@heper:

your openvpn is a transit-network …. packets go THROUGH it instead of TO.

Yes I understand this. It was kind of a "shortcut" : it was shorter to talk about "OpenVPN" rather than about "the machine connected through OpenVPN"

@johnpoz:

So looks to me you have this - see attached.

Your drawing is really better than mine (except I do not see Internet as such a dark cloud)  ;)  Yes it is my network config.

The reason I have such a config is because pfSense1 and server1 are virtual machines hosted on host1, while pfSense2 and server2 are virtual machines hosted on host2.
Host2 acts as a backup of host1, and I wanted the settings of server2 (and all the other servers, configured that way), to be ready and operationnal.

@johnpoz:

I would not suggest trying to create a route on pfsense 2 point to the tunnel network 10.0.100/24 to pfsense 1 lan IP

So is this the reason why the static route I set on pfSense2 (as described before - adding a "green arrow" on your drawing from pfSense2 to pfSense1) does not work ?
Is there a (short) explanation why a "simple" static route will not do the trick ? I was expecting that if there is a "sign" in pfSense2 saying "to go to OpenVPN : follow the direction to pfSense1", and when you're in pfSense1, ask someone…