Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 Firewalls Carp'd + OpenVPN can access all LAN IP's except 2nd FW

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 4 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adcoment
      last edited by

      I've successfully loaded pfsense w/CARP onto (2) compact flash firewall boxes.  I setup OpenVPN on box 1 and can connect with the client in routing mode; however, I cannot access the second the firewall via the VPN.  I can access the second firewall from a LAN host so I am at a loss as to why the VPN client cannot, especially when I can access all other hosts.  All firewall rules are confirmed the same, as they are CARP'd.

      Any assistance is appreciated.

      1 Reply Last reply Reply Quote 0
      • N
        newmember
        last edited by

        So to confirm:

        LAN pfsense box IP Address example 192.168.0.1
        LAN pfsense box IP address example 192.168.0.2
        LAN pfsense VIRTUAL IP address example 192.168.0.3

        Use your IP address range, which IP address can you connect to through the VPN?
        Try all three and let me know what you can connect too.

        I am thinking that you need to connect via 192.168.0.2 to get to the second pfsense box.

        1 Reply Last reply Reply Quote 0
        • R
          rel2001
          last edited by

          I experience exactly the same problem.
          And yes, I am trying to reach the physical LAN address of the seond firewall.
          Thanks for any help

          Ariel

          1 Reply Last reply Reply Quote 0
          • B
            Briantist
            last edited by

            I was about to post a thread about this but searched first. Has anyone figured out a solution to this?

            1 Reply Last reply Reply Quote 0
            • B
              Briantist
              last edited by

              Well I figured out the problem, but I can't come up with a way to fix it (for me) yet. Let's say your client network (the client to the CARPed firewalls) is 10.20.30.0/24. The server network is 10.40.50.0/24, firewall A is 10.40.50.1 and firewall B is 10.40.50.2.

              If the client tries to connect to 10.40.50.1 it works fine of course. If the client tries to connect to 10.40.50.2 it goes out on the LAN from 10.40.50.1 correctly, the problem here is actually the reply from 10.40.50.2, because it has no route to 10.20.30.0/24. You can solve this by adding a static route on firewall B (10.40.50.2) on the LAN for 10.20.30.0/24 with the gateway set to 10.40.50.1. This only works if firewall A is the VPN server and firewall B is not (if firewall A is down, there is no VPN connection).

              In my situation, I have the OpenVPN server configuration duplicated on both firewalls, and I have it listening on the CARP WAN IP. The client connects to the CARP IP so that if one firewall goes down, it will reconnect to the other one automatically as soon it picks up the CARP IP. That part of it works fine, but I can never connect to the server I'm not connected to.

              I can't add a static route because both have routes for 10.20.30.0 already even if the tunnel is not up and as far as I can tell there's no way I can change this behavior, or otherwise allow for automatically changing the route.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.