OpenVPN and Multi-WAN



  • Dear All,

    For years, I am using 2 CARP routers (currently pfSense 2.4.1) in two locations connected via OpenVPN. Both sets of routers have 2 WANs. Ideally, I would like to use OSPF in a setting like it is described in the book (https://portal.pfsense.org/docs/book/openvpn/openvpn-and-multi-wan.html?highlight=ospf). However, I am unable to implement that so far.

    As no one responded to my post unter routing and multi WAN last year (https://forum.pfsense.org/index.php?topic=110971.msg617840), I am trying again here.

    The LAN (virtual) IPs to be connected are 192.168.1.1 <-> 192.168.12.1. The devices have LAN IPs 192.168.1.78, 192.168.1.79, 192.168.12.78 and 192.168.12.79 respectively.

    Normally (working for years), I am using no OSPF routing, and OpenVPN config with "IPv3 Remote Network(s)" filled in, tunnel networks 192.168.18.0/30 and 192.168.19.0/30 for the two connections and a net30 topology.

    Then, the routing table does contain (on one side, the other one being similar):

    192.168.12.0/24  192.168.18.2  UGS  … ... ovpns3
    192.168.18.1        link#16          UHS  ... ... lo
    192.168.18.2        link#16          UH    ... ... ovpns3
    192.168.19.1        link#17          UHS  ... ... lo
    192.168.19.2        link#17          UH    ... ... ovpns4

    All hosts in 192.168.1.0 and 192.168.12.0 do see each other.

    Alternatively with OSPF based on package FRR 0.0.3, deleted "IPv4 Remote network(s)"in OpenVPN config, I assume that "IPv4 Local network(s)" on the server side can stay, I enabled OSPF and cleared states after making the change.

    Then, each router can ping each host at the other end without issues. However, hosts on the one side can - unlike the routers themselves - no longer ping hosts on the other side.

    FRR/OSPF status does show:

    OPSF Neighbors
    Neighbor ID    Pri State          Dead Time Address        Interface            RXmtL RqstL DBsmL
    192.168.12.78    1 Full/DROther      38.242s 192.168.18.2    ovpns3:192.168.18.1      0    0    0
    192.168.12.78    1 Full/DROther      38.416s 192.168.19.2    ovpns4:192.168.19.1      0    0    0
    OPSF Routes
    ============ OSPF network routing table ============
    N    192.168.1.0/24        [10] area: 0.0.0.0
                              directly attached to lagg0
    N    192.168.12.0/24      [20] area: 0.0.0.0
                              via 192.168.18.2, ovpns3

    ============ OSPF router routing table =============

    ============ OSPF external routing table ===========

    The routing table contains (almost identical, just flag UG1 instead of UGS in first line):

    192.168.12.0/24  192.168.18.2  UG1  … ... ovpns3
    192.168.18.1        link#16          UHS  ... ... lo
    192.168.18.2        link#16          UH    ... ... ovpns3
    192.168.19.1        link#17          UHS  ... ... lo
    192.168.19.2        link#17          UH    ... ... ovpns4

    Can someone please point me to how to enable full connectivity again (i.e., each host in 192.168.1.1 should see each host in 192.168.12.1 and vice versa)?

    Regards,

    Michael Schefczyk


Log in to reply