Site-to-site not working

mrgenie

I've been managing a class B openVPN network across the continent for several years successfully now.
Used dd-wrt/openWRT and now LEDE since shortly. I know my fair way around configuring and managing routers and open source firmware and setup VPN properly.

Right now I'm testing pfSense advised by an LEDE forum member.

My current setup is running a tap/bridged openVPN server on windows 2012R2 and to it I have a few dd-wrt, openwrt and 2 LEDE routers.

the main network of the openVPN server runs at 172.22.56.0/16
openVPN I had running at 172.22.55.0/16 as copied from the openVPN manual for bridged networking but switched to 192.168.5.0/24 because pfSense complains about unable to route because the network segments in a class B are conflicting (not that any of the wrt routers or windows have a problem with that, but ok, if pfSense can't handle it I can switch openVPN to a segment outside of my class B network)

the other sites are all running 172.22.57.0/16 to 172.22.69.0/16 each physical location their own subnet.

runs wonderful and works splendid. With this setup, my openVPN regardless of the overhead runs at speed up to 280Mbps with 256bit encryption uncompressed.

Now I setup exactly the same way in pfsense as any wrt router.

it connects to the openVPN server wonderful. No errors, no disconnects.

but clients between the sites can't seem to reach each other.

Some logs:

Dec 26 00:46:53 openvpn 99260 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016
Dec 26 00:46:53 openvpn 99260 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Dec 26 00:46:53 openvpn 99595 WARNING: using –pull/--client and --ifconfig together is probably not what you want
Dec 26 00:46:53 openvpn 99595 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 26 00:46:53 openvpn 99595 Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Dec 26 00:46:54 openvpn 99595 UDPv4 link local (bound): [AF_INET]192.168.2.101
Dec 26 00:46:54 openvpn 99595 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Dec 26 00:46:54 openvpn 99595 [main.obfuscated.com] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Dec 26 00:46:57 openvpn 99595 TUN/TAP device ovpnc1 exists previously, keep at program end
Dec 26 00:46:57 openvpn 99595 TUN/TAP device /dev/tap1 opened
Dec 26 00:46:57 openvpn 99595 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Dec 26 00:46:57 openvpn 99595 /sbin/ifconfig ovpnc1 192.168.5.104 netmask 255.255.255.0 mtu 1500 up
Dec 26 00:46:57 openvpn 99595 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1606 192.168.5.104 255.255.255.0 init
Dec 26 00:46:57 openvpn 99595 Initialization Sequence Completed

The firewall I simply enabled all trafic (just testing anyway so no need to block anything)

so why can't clients on the network not see each other?

remember, I have a working openVPN class 2 layered 2 network with many physical locations on the continent. But with the same setttings on pfSense it's not working.

So something must be wrong with my setup for pfsense.

I assume it's soemthing in the tunnel settings. Any clues?

I did bridge LAN and OPT1 (ovpnc1())

IPv4 Routes
Destination Gateway Flags Use Mtu Netif Expire
default 192.168.2.1 UGS 9451 1500 hn0
127.0.0.1 link#4 UH 44 16384 lo0
172.22.56.0/24 192.168.5.1 UGS 0 1500 ovpnc1
172.22.70.0/24 link#6 U 1821 1500 hn1
172.22.70.2 link#6 UHS 0 16384 lo0
192.168.2.0/24 link#5 U 0 1500 hn0
192.168.2.1 00:15:5d:38:01:00 UHS 6955 1500 hn0
192.168.2.101 link#5 UHS 0 16384 lo0
192.168.5.0/24 link#8 U 428 1500 ovpnc1
192.168.5.104 link#8 UHS 0 16384 lo0

ADD: I must explain I have pfSense running in Hyper-V with 2 NIC bridged
1 NIC is using 192.168.2.2 as IP and 192.168.2.1 as DNS and Gateway to connect to the internet and is configured WAN in pfsense.

the other NIC has 172.22.70.50 as IP and using the 172.22.70.2 as gateway and DNS.
in pfsense this NIC is configured as LAN with 172.22.70.2 as static IP

So my thoughts were, all 172.22.0.0/16 goes through the LAN NIC of pfsense this way

and from there pfsense looking at all incoming as LAN, it directs everything automatically to either 192.168.2.1 for internet and into the tap1 for everything of the virtual private network.

Because that's how every single router I managed over the last 20 years works.

Obviously pfSense doesn't work like asus/dlink/linksys/zte and other routers.

So what's the catch?

ADD: from the shell of the pfSense virtual machine I can access the remote network after the succesful openVPN connection.

However, the main windows 2012R2 and the clients attached to this 2nd NIC can't.

I assume the main windows might try to reach for 172.22.0.0 over the default gateway to the main ISP router, which is at 192.168.2.1?

I have no idea why the main windows and the network behind it wouldn't try to reach for 172.22.70.2 for reaching 172.22.0.0 network, but somehow
I think that's the problem here.

so how do I solve it?

nvdstruis

Hi,

Not sure, but have you seen and tried the setting shown in my screenshot?
Hope that helps.

Good luck

marvosa

nvdstruis, it's a site-to-site tunnel, so that setting is moot.

mrgenie, post your server1.conf and client1.conf

Also, post a network map, so we can visualize how things are connected and what subnets are where.