[SOLVED] VPN routing
-
Yeah OpenVPN classic access (roadwarrior setup) server.
WAN is plugged into Cisco firewall network.
On core switches and Cisco firewall there are routes to my VPN subnet pointing to pfsense WAN IP (which is IP from network attached to Cisco).
On pfsense I have not configured any static routes, I juts added subnets to OpenVPN server config.
Funny thing is if I disable outbound NAT ping and tracert work but http not, and with outbound NAT everything works but server on vlan on core switch sees traffic from pfsense WAN instead of actual client. -
@maverick_slo said in VPN routing:
Funny thing is if I disable outbound NAT ping and tracert work but http not
As I mentioned above, that's the problem when the vpn endpoint is in the same network segment as the destination device, but the vpn endpoint is not the default gateway.
TCP which http is based on is a stateful protocol, ICMP (ping) is stateless.
When you try to access a device from vpn client, the request packets go from pfSense directly to the device, while response packets are sent to the default gateway (Cisco FW, presumably) where they should be directed to pfSense. However, your default gateway has no state for it since it didn't get the request packet and will drop it.
For a stateless protocol that doesn't matter.When using outbound NAT, request packets have the source IP of pfSense, so responses are directed back to pfSense directly.
So as already suggested, put the pfSense in a separate network segment and set up a correct routing. This can also be done by VLAN.
-
hmm.
pfsense IS on separate network on ASA.
routing works actually everything works but little thing I mentioned.on server on different VLAN all requests are coming from pfsense WAN.
So how do I make them come from openvpn client instead. -
Turn off the outbound NAT on pfSense.
Consider that for routing vpn responses back you need a static route for the vpn tunnel network on your ASA?
-
Well if I turn off outbound NAT things stop to work.
I have route on asa to route my tunnel network to pfsense WAN IP.
-
If that's the case, the route won't work.
Try a traceroute from the device you tried to access.
-
Tracert is OK.
Tried both ways both ways OK. -
If the routes are OK there is no need for the outbound NAT.
Sorry, no more ideas as long as I don't get more infos like tunnel network, network map, detailed routes, packets capture of an access attempt from a vpn client.
-
Thanks, will check tomorrow with our fw guys as I don't see errors in my config...
-
Closure:
I had it configured correctly.
So correct FW rules and outbound nat (SNAT) disabled.
Problem was on cisco router where network guys forgot to allow my traffic (even when they say they did, well doublecheck) :) -
i have same problem thank