Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [SOLVED] Trying to set up an OOB Management Network

    OpenVPN
    2
    4
    4641
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brunov last edited by

      Hello I am trying to set up an OOB Management Network. So far I have set up a separate VLAN for that network and I have assigned IP to all devices that need to be managed on that network. I have plugged a switch inline on that network and tested connectivity to those devices and they work fine. Now I am trying to set up an RAVPN to remote into that network from the LAN. However when I VPN to that network the session is established but I am unable to reach any devices on that network. Most RAVPN tutorials are for setting up RAVPN to connect to the LAN from a network outside the WAN. The difference here is I am trying to connect to the management network from the LAN. My set up is as follows.

      Management Network VLAN 10: 192.168.10.0/24
      Local Area Network VLAN 20: 192.168.20.0/24

      I went through the OpenVPN wizard and being that I am able to successfully establish a VPN session we can assume the CA and Users are set up correctly.

      So under General Options
      -Interface = LAN
      -Protocol = UDP
      -Local Port 1194

      Crypto Setting
      -TLS Authentication = Yes
      -Generate TLS Key = Yes
      -DH Parameters Length = 2048
      -Encryption Algorithm = AES-128
      -Auth Digest Algorithm = RSA-SHA256

      Tunnel Settings
      -Tunnel Network = 10.0.0.0/24
      -Redirect Gateway = No
      -Local Network = 192.168.10.0/24
      -Compression = Enabled with Adaptive Compression
      -Type-of-Service = No
      -Inter-Client Communication = Yes
      -Duplicate Connections = No

      Client Settings
      -Dynamic IP = Yes
      -Address Pool = Yes
      -Topology = Subnet - One IP address per client in a common subnet
      -DNS Default Domain = pfsense.home
      -DNS Server 1 - 192.168.10.2 (also the interface IP of the pfsense  on that network)

      On the next page

      Traffic from clients to server Firewall Rule = Yes

      Traffic from clients through VPN OpenVPN rule = Yes

      Anything I had not noted is default and un changed but if you need more information please let me know.

      But with that setup above from the LAN I am able to establish a connection to the VPN and I get an IP of 10.0.0.2 and I am able to ping that management interface 192.168.10.2 however I am unable to ping or access any other devices on that network while VPNed into the management network. Based on the information that I've provided does anyone know what I may have done wrong?

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        How is this an out of band managment?

        Why are you having to vpn into the lan.. Are you not already on the lan?  Normally OOB would come into pfsense as another form of wan connection that is different than your primary.  So that if your primary is down you could still get into pfsense and stuff behind pfsense be it on a lan or other opt network.  To help troubleshoot why the primary wan is not working, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • B
          brunov last edited by

          @johnpoz:

          How is this an out of band managment?

          Why are you having to vpn into the lan.. Are you not already on the lan?  Normally OOB would come into pfsense as another form of wan connection that is different than your primary.  So that if your primary is down you could still get into pfsense and stuff behind pfsense be it on a lan or other opt network.  To help troubleshoot why the primary wan is not working, etc.

          It is out of band in the sense that the management plan is separate from the data plane. In the DoD this traffic separation is OOB. I do understand that in the traditional sense that OOB means access to network devices when the network is down. That is not what I mean in this case. And I am using OOB correctly since this is what the DoD uses to refer to this type of network.

          Also Cisco has publish best practice articles on OOB Management Networks.

          http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap9.html#wp1054536

          Also I am not trying to VPN into the LAN I am already on the LAN. I am trying to VPN into the Management Network (VLAN 10) from the LAN (VLAN 20). I am new to RAVPN so I am pretty sure I messed something up.

          1 Reply Last reply Reply Quote 0
          • B
            brunov last edited by

            Okay I've solved my issue thanks to packet capture. My configurations that I posted were perfectly fine and that was the answer I was looking for but instead of getting that help people wanted to play semantics with my words which was completely irrelevant of the question that I asked. In any case I am good now and for anyone trying to set up an Out of Band Management network please follow the configurations that I've posted because they work.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post