Policy routing not working with OpenVPN interface



  • Hi

    the architecture :

    Branch FW LAN 192.168.55.1/24
    Branch FW WAN
    (Branch Office)
        !!
        !!
        !!
        vv
    (Headquarter)
    PfSense WAN PPPoE
    PfSense LAN 192.168.7.1/24 –---------------- Firewall eth1 192.168.7.10/24
                                                                              Firewall eth0 192.168.3.10/24
                                                                              LAN 192.168.3.0/24

    the goal
    Headquarter LAN 192.168.3.0/24 must access Branch LAN 192.168.55.0/24

    Config 1: (OK)

    in PfSense (Headquarter) :
    Add Gateway (LANGW) : interface LAN, IP:192.168.7.10
    Add route : destination 192.168.3.0/24 via LANGW
    Add rule : (LAN Rule Pass) Protocol any Source 192.168.3.0/24, port ---, Destination 192.168.55.0/24, port ---
    Add rule : (OpenVPN Rule Pass) Protocol any Source 192.168.55.0/24, port ---, Destination 192.168.3.0/24, port ---
    Access granted to Branch LAN 192.168.55.0/24 from Headquarter LAN 192.168.3.0/24

    Config 2: (NOT OK)

    in PfSense (Headquarter) :
    Add Gateway (LANGW) : interface LAN, IP:192.168.7.10
    Add rule : (LAN Rule Pass) Protocol any Source 192.168.3.0/24, port ---, Destination 192.168.55.0/24, port ---
    Add rule : (OpenVPN Rule Pass) Protocol any Source 192.168.55.0/24, port ---, Destination 192.168.3.0/24, port ---, Gateway LANGW
    (no route added in this config, using routing policy instead)
    Access impossible to Branch LAN 192.168.55.0/24 from Headquarter LAN 192.168.3.0/24

    Note
    –--
    i've added tested this PfSense Config in 2 different Hardware (an old IBM Server, and an ALIX Box)
    still the same result : Access impossible to Branch LAN 192.168.55.0/24 from Headquarter LAN 192.168.3.0/24

    Any idea ?
    is there a way to solve the problem and to make the config 2 operate ?
    this time i don't have a plan B, i really don't want to advertise traditional routes, there is no source based routing in PfSense
    Normally, Policy Routing is more powerful than source based one, it is more granular but it isn't working although in this scenario traffic emanate from a third party network and not from a PfSense interface then logically it should work

    Thanks


Log in to reply