Route WAN network to OVPN
-
The rule you already have for source NATing 10.1.1.0/30 to 10.23.1.200.
Devices at 10.23.1.100 (and .1) obviously know how to reach 10.23.1.200 but probably have no route to 10.1.1.0/30. That is the reason you need that rule.
Steve
-
I added the rule, but still the same problem
-
Well I think I'll give up and just also connect the proxmox server to the VPN, so there will be a direct connection to both server.. It just look weird to connect proxmox to VPN, when there is a VM pfSense already connected to this VPN
-
We haven't yet seen a packet capture of a TCP connection failing. That should be revealing. If there is no traffic coming back at all for example.
This still looks like some route asymmetry somewhere.
Does an icmp traceroute succeed?
Steve
-
Yes all ICMP traceroute work, like ping.
-
When you have ICMP works but TCP fails it's usually an asymmetric routing problem.
It can also be a packet size issue but that would not normally affect UDP traceroute.
Or it can be a hardware off loading problem if the a NIC/driver somewhere is not doing what it reports it can.
Steve
-
How does I can solve this asymetric routing problem ? Or detect where is located the routing problem.
-
Run a packet capture showing some TCP connection failing. If you see parts of the TCP setup missing they are either being blocked somewhere or routed some other way.
Steve
-
There is a little diagram, if that can help to understand how is setup
-
Yeah, there is some difference between what happens when you run, say, rpcinfo from pfSense directly and when it's run from Proxmox. So I would run a pcap on the OpenVPN interface and compare them.
rpcinfo will create quite a lot of output so you might want to use something simpler like just telneting to a port assuming that also fails from Proxmox.
Steve
