Site to Site to Site Not working

omber

I have 3 pfSense Systems with following LAN IPs:

• Site 1: 172.16.10.1/24
  • OpenVPN Client to Site 2
    • Tunnel Network: 172.16.220.8/30
    • Remote Networks: 172.16.11.0/24,192.168.1.0/24
• Site 2: 172.16.11.1/24
  • OpenVPN Server for Site 1
    • Tunnel Network: 172.16.220.8/30
    • Remote Networks: 172.16.10.0/24
  • OpenVPN Server for Site 3
    • Tunnel Network: 172.16.220.4/30
    • Remote Networks: 192.168.1.0/24
• Site 3: 192.168.1.1/24
  • OpenVPN Client to Site 2
    • Tunnel Network: 172.16.220.4/30
    • Remote Networks: 172.16.11.0/24,172.16.10.0/24

To simplifying debugging, I have created a rule on each site's OpenVPN interface to permit any IP traffic from any source to any destination.

Site 1 can ping Site 2 but not Site 3
Site 2 can ping both Site 1 and Site 2
Site 3 can ping Site 2 but not Site 1

Is it not possible for pfSense / OpenVPN to route between different OpenVPN servers?

chpalmer

@omber I do it all over the place. I do not assign my any interface to my openvpn instances though.

What do the rules on the actual interfaces look like? You would have a rule for the interface and the openvpn instance.

mikeisfly

You probably need to add static routes for each of the non-connected routers otherwise pfsense is going to use the default gateway unless you running a routing protocol between the routers but then you will probably need to setup a GRE interface on all the routers.

chpalmer

@mikeisfly nope he shouldn't have to. I make this work at several locations without anything special.

omber

@chpalmer

"I do not assign my any interface to my openvpn instances though."

I don't understand this statement, can you please elaborate?

"What do the rules on the actual interfaces look like? You would have a rule for the interface and the openvpn instance."

My LAN interfaces have default permit IPv4 to Any rule.

@mikeisfly

To add a static route in pfSense, I must first add a Gateway. However when creating Gateways, the OpenVPN is not a listed as interface through which the Gateway can be reached, only LAN and WAN interfaces are listed.

chpalmer

@omber are your openvpn instances assigned to an interface?

omber

@chpalmer Yes they are tied to the WAN interface. Should I change them to use ANY, and if so should I do it to Servers, Clients or Both?

chpalmer

@omber said in Site to Site to Site Not working:

@chpalmer Yes they are tied to the WAN interface. Should I change them to use ANY, and if so should I do it to Servers, Clients or Both?

Huuuuuhhhhhhhh?

On your interface page.. Interfaces/Interface Assignments

Do you have them assigned to interfaces?

pete35

Just look at the routing tables. If the route to the target site is in your local routing table, you are fine, if not ... something goes wrong. Pfsense needs a route to that site, otherwise the traffic goes out to the internet. Please check this, or post the tables here.

Just try to change the remote tunnel fields and save them again. Sometimes the routes there dont make it to the routing table and even if they are in, rebooting helps alot.

omber

@pete35 said in Site to Site to Site Not working:

Just look at the routing tables. If the route to the target site is in your local routing table, you are fine, if not ... something goes wrong. Pfsense needs a route to that site, otherwise the traffic goes out to the internet. Please check this, or post the tables here.

Just try to change the remote tunnel fields and save them again. Sometimes the routes there dont make it to the routing table and even if they are in, rebooting helps alot.

Ok this worked. Originally the route was not in the routing table.

I changed the Remote Networks in OpenVPN Client Config at Site A to just 172.16.11.0/24 (Site B), applied changes, watched the tunnel come up and confirmed the route was present.

Then I added 192.168.1.0/24 (Site C), applied changes and watched the route get added. Now I can reach Site C from Site A. Very odd but it works. Thank you.

frater

I followed this Youtube tutorial https://www.youtube.com/watch?v=8f13lfnEKY8
and I believe it is the same as your setup.

#1 Pfsense running 2 openvpn server instances (has corresponding network as remote network)
#2 Pfsense running 1 openvpn client to Pfsense #1 (has both other networks as remote network)
#3 Pfsense running 1 openvpn client to Pfsense #1 (has both other networks as remote network)

I wasn't able to ping from the Pfsense #2 to #3 nor vice versa.
Both #2 and #3 were able to ping to #1

But then I noticed it was only the Pfsense itself.
Clients on Pfsense #3 could reach clients on Pfsense #2.
Clients could also ping all pfsenses....
Client pfsenses can't ping clients on other network.

In fact this is the main purpose of the site-to-site-to-site VPN, so I have it working now.

I now have a few questions:

• Is this behaviour to be expected?
• What do I need to do so #2 and #3 themselves can ping each other?
• Should I consider this a bug?
• Is this a recommended setup? I have a feeling it isn't as #2 and #3 can't reach each other anymore if #1 is failing.
• Do I solve that single point of failure by creating a server instance on either #2 or #3, and let the other client connect to it??