Networks routed from a pfSense box not accesible from an OpenVPN site (P2P PKI)
-
Hello all
First, sorry by my poor english.
I'm having a problem i'm unable to resolve and hope someone can help me.
I have a place with a pfSense box that routes other 2 networks, one with other pfSense and other(s) with a Cisco Router suplied by the ISP.
I have a remote site connected with OpenVPN Peer to Peer (SSL/TLS) working "well". I mean well because i can access the LAN's Networks from a site o the other one (and viceversa), but from the remote site (pfSense3) LAN I can't access the Networks provided by the Cisco or the 172.16.10.0/26 provided by pfSense 2 (see the attached image).
That Networks are accesible from the pfSense LAN Network. They are also accesible from OpenVPN Roadwarrior users. Even are accesible from pfSense3 (from the shell inside in), but not from it's LAN Network.
I've spent several days trying everything i know, The routes are pushed from the pfSense1 to pfSense3. I've reviewed again and again the rules, everything passes.
I suppose i'm missing something in this, but don't know what.
This is the routing table in the pfSense3 box:
Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.153.1 UGS 0 5922 pppoe0 google-public-dns- 192.168.153.1 UGHS 0 30451 pppoe0 10.0.10.1/32 10.0.10.5 UGS 0 0 ovpnc1 10.0.10.5 link#8 UH 0 0 ovpnc1 10.0.10.6 link#8 UHS 0 0 lo0 10.2.6.0 10.0.10.5 UGS 0 0 ovpnc1 10.2.31.0 10.0.10.5 UGS 0 0 ovpnc1 10.31.10.0 10.0.10.5 UGS 0 0 ovpnc1 10.31.112.0 10.0.10.5 UGS 0 0 ovpnc1 10.31.253.0 10.0.10.5 UGS 0 0 ovpnc1 10.32.253.0 10.0.10.5 UGS 0 0 ovpnc1 10.252.130.0 10.0.10.5 UGS 0 0 ovpnc1 10.252.144.0 10.0.10.5 UGS 0 0 ovpnc1 10.252.252.0 10.0.10.5 UGS 0 0 ovpnc1 10.253.1.192/32 10.0.10.5 UGS 0 0 ovpnc1 10.253.252.0 10.0.10.5 UGS 0 0 ovpnc1 PUBLIC-DSL-IP-94.d link#9 UHS 0 0 lo0 localhost link#4 UH 0 97 lo0 172.16.0.0/21 10.0.10.5 UGS 0 7 ovpnc1 172.16.10.0/26 10.0.10.5 UGS 0 0 ovpnc1 172.16.20.0/26 link#1 U 0 48 vr0 pfsense3 link#1 UHS 0 0 lo0 192.168.153.1 link#9 UH 0 0 pppoe0
The 10.2., 10.31, 10.32 10.252 and 10.253 are the Networks provided by the Cisco and 172.16.10.10/26 the one provided by pfSense2.
Do you know what my problem is? I'm not posting configurations to keep this short. If you need something, please ask me.
Thanks
Best
![OpenVPN Routing.png](/public/imported_attachments/1/OpenVPN Routing.png)
![OpenVPN Routing.png_thumb](/public/imported_attachments/1/OpenVPN Routing.png_thumb) -
Need to clarify some info:
-
Your diagram shows "OpenVPN Tunnel Network: 10.0.10.0/24" and "Subnet to pfSense3: 10.0.10.8/30". Please clarify what you meant because those networks overlap.
-
When you say "I have a remote site connected with OpenVPN Peer to Peer (SSL/TLS) working" you never specified what was connected. I can only assume from your diagram that you meant PFsense 1 and PFsense 3 are connected and that each side can communicate with the other side's LAN, but please verify my assumption is correct.
-
On PFsense 2, is there a typo or is 172.16.10.1/26 really a WAN interface? Why isn't it a LAN interface? I would imagine 172.16.20.0/26 cannot communicate with 172.16.10.0/26 because there is no return route back to 172.16.20.0/26 on PFsense 2. Although, I'm not even sure that's possible because it's a WAN interface and being NAT'd… someone else chime in if they know for sure
-
you need a return route to 172.16.20.0/26 on the cisco.
-
Post your server1.conf from PFsense 1 and client1.conf from PFsense 3.
-
-
Need to clarify some info:
- Your diagram shows "OpenVPN Tunnel Network: 10.0.10.0/24" and "Subnet to pfSense3: 10.0.10.8/30". Please clarify what you meant because those networks overlap.
- When you say "I have a remote site connected with OpenVPN Peer to Peer (SSL/TLS) working" you never specified what was connected. I can only assume from your diagram that you meant PFsense 1 and PFsense 3 are connected and that each side can communicate with the other side's LAN, but please verify my assumption is correct.
- On PFsense 2, is there a typo or is 172.16.10.1/26 really a WAN interface? Why isn't it a LAN interface? I would imagine 172.16.20.0/26 cannot communicate with 172.16.10.0/26 because there is no return route back to 172.16.20.0/26 on PFsense 2. Although, I'm not even sure that's possible because it's a WAN interface and being NAT'd… someone else chime in if they know for sure
- you need a return route to 172.16.20.0/26 on the cisco.
Remember
- Post your server1.conf from PFsense 1 and client1.conf from PFsense 3.
pfSense1 Site2Site (PKI)
dev ovpns2 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local TRIMMED-PUBLIC-IP tls-server server 10.0.10.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc ifconfig 10.0.10.1 10.0.10.2 tls-verify /var/etc/openvpn/server2.tls-verify.php lport 1195 management /var/etc/openvpn/server2.sock unix ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server2.tls-auth 0 route 172.16.20.0 255.255.255.192 route 172.16.20.64 255.255.255.192 route 192.168.0.0 255.255.255.0 push "route 172.16.0.0 255.255.248.0" push "route 172.16.10.0 255.255.255.192" push "route 10.2.6.0 255.255.255.0" push "route 10.2.31.0 255.255.255.0" push "route 10.31.10.0 255.255.255.0" push "route 10.31.112.0 255.255.255.0" push "route 10.31.253.0 255.255.255.0" push "route 10.32.253.0 255.255.255.0" push "route 10.252.130.0 255.255.255.0" push "route 10.252.144.0 255.255.255.0" push "route 10.252.252.0 255.255.255.0" push "route 10.253.1.192 255.255.255.255" push "route 10.253.252.0 255.255.255.0"
pfSense3 (Client)
dev ovpnc1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local TRIMMED-PUBLIC-IP tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote TRIMMED-REMOTE-IP 1195 ifconfig 10.0.10.2 10.0.10.1 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1
Also here is the CSO (-csc) file for that client
ifconfig-push 10.0.10.10 10.0.10.9 iroute 172.16.20.0 255.255.255.192
USING Site2Site
12:00:41.556303 IP 192.168.0.47.38007 > 10.31.10.89.33438: UDP, length 24 12:00:41.628250 IP 192.168.0.47.38007 > 10.31.10.89.33439: UDP, length 24 12:00:41.699052 IP 192.168.0.47.38007 > 10.31.10.89.33440: UDP, length 24 12:00:41.770609 IP 192.168.0.47.38007 > 10.31.10.89.33441: UDP, length 24
12:01:55.579807 IP 192.168.0.47.38022 > 10.31.10.89.33441: UDP, length 24 12:02:00.580990 IP 192.168.0.47.38022 > 10.31.10.89.33442: UDP, length 24 12:02:05.581638 IP 192.168.0.47.38022 > 10.31.10.89.33443: UDP, length 24 12:02:10.582314 IP 192.168.0.47.38022 > 10.31.10.89.33444: UDP, length 24
USING RoadWarrior
11:35:41.019829 IP 10.0.8.202.37905 > 10.31.10.89.33435: UDP, length 24 11:35:41.182282 IP 10.0.8.202.37905 > 10.31.10.89.33436: UDP, length 24 11:35:41.253157 IP 10.0.8.202.37905 > 10.31.10.89.33437: UDP, length 24 11:35:41.324107 IP 10.0.8.202.37905 > 10.31.10.89.33438: UDP, length 24
11:37:07.139149 IP 10.31.253.2.46027 > 10.31.10.89.33438: UDP, length 24 11:37:07.281083 IP 10.31.253.2.15414 > 10.31.10.89.33439: UDP, length 24 11:37:07.351882 IP 10.31.253.2.3381 > 10.31.10.89.33440: UDP, length 24 11:37:07.422730 IP 10.31.253.2.23474 > 10.31.10.89.33441: UDP, length 24