• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] Trying to set up an OOB Management Network

Scheduled Pinned Locked Moved OpenVPN
4 Posts 2 Posters 5.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    brunov
    last edited by Nov 9, 2016, 3:11 PM Nov 8, 2016, 4:33 PM

    Hello I am trying to set up an OOB Management Network. So far I have set up a separate VLAN for that network and I have assigned IP to all devices that need to be managed on that network. I have plugged a switch inline on that network and tested connectivity to those devices and they work fine. Now I am trying to set up an RAVPN to remote into that network from the LAN. However when I VPN to that network the session is established but I am unable to reach any devices on that network. Most RAVPN tutorials are for setting up RAVPN to connect to the LAN from a network outside the WAN. The difference here is I am trying to connect to the management network from the LAN. My set up is as follows.

    Management Network VLAN 10: 192.168.10.0/24
    Local Area Network VLAN 20: 192.168.20.0/24

    I went through the OpenVPN wizard and being that I am able to successfully establish a VPN session we can assume the CA and Users are set up correctly.

    So under General Options
    -Interface = LAN
    -Protocol = UDP
    -Local Port 1194

    Crypto Setting
    -TLS Authentication = Yes
    -Generate TLS Key = Yes
    -DH Parameters Length = 2048
    -Encryption Algorithm = AES-128
    -Auth Digest Algorithm = RSA-SHA256

    Tunnel Settings
    -Tunnel Network = 10.0.0.0/24
    -Redirect Gateway = No
    -Local Network = 192.168.10.0/24
    -Compression = Enabled with Adaptive Compression
    -Type-of-Service = No
    -Inter-Client Communication = Yes
    -Duplicate Connections = No

    Client Settings
    -Dynamic IP = Yes
    -Address Pool = Yes
    -Topology = Subnet - One IP address per client in a common subnet
    -DNS Default Domain = pfsense.home
    -DNS Server 1 - 192.168.10.2 (also the interface IP of the pfsense  on that network)

    On the next page

    Traffic from clients to server Firewall Rule = Yes

    Traffic from clients through VPN OpenVPN rule = Yes

    Anything I had not noted is default and un changed but if you need more information please let me know.

    But with that setup above from the LAN I am able to establish a connection to the VPN and I get an IP of 10.0.0.2 and I am able to ping that management interface 192.168.10.2 however I am unable to ping or access any other devices on that network while VPNed into the management network. Based on the information that I've provided does anyone know what I may have done wrong?

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Nov 8, 2016, 4:38 PM

      How is this an out of band managment?

      Why are you having to vpn into the lan.. Are you not already on the lan?  Normally OOB would come into pfsense as another form of wan connection that is different than your primary.  So that if your primary is down you could still get into pfsense and stuff behind pfsense be it on a lan or other opt network.  To help troubleshoot why the primary wan is not working, etc.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • B
        brunov
        last edited by Nov 8, 2016, 4:48 PM Nov 8, 2016, 4:42 PM

        @johnpoz:

        How is this an out of band managment?

        Why are you having to vpn into the lan.. Are you not already on the lan?  Normally OOB would come into pfsense as another form of wan connection that is different than your primary.  So that if your primary is down you could still get into pfsense and stuff behind pfsense be it on a lan or other opt network.  To help troubleshoot why the primary wan is not working, etc.

        It is out of band in the sense that the management plan is separate from the data plane. In the DoD this traffic separation is OOB. I do understand that in the traditional sense that OOB means access to network devices when the network is down. That is not what I mean in this case. And I am using OOB correctly since this is what the DoD uses to refer to this type of network.

        Also Cisco has publish best practice articles on OOB Management Networks.

        http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap9.html#wp1054536

        Also I am not trying to VPN into the LAN I am already on the LAN. I am trying to VPN into the Management Network (VLAN 10) from the LAN (VLAN 20). I am new to RAVPN so I am pretty sure I messed something up.

        1 Reply Last reply Reply Quote 0
        • B
          brunov
          last edited by Nov 9, 2016, 3:10 PM

          Okay I've solved my issue thanks to packet capture. My configurations that I posted were perfectly fine and that was the answer I was looking for but instead of getting that help people wanted to play semantics with my words which was completely irrelevant of the question that I asked. In any case I am good now and for anyone trying to set up an Out of Band Management network please follow the configurations that I've posted because they work.

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received