Routing problems between virtual subnet and remote client machine
-
Dear pfsense pros,
I'm new both to PfSense and BSD, and I reached a point where I don't know how to continue by myself. I read lots of threads and followed several manuals, without success. I guess my problem could be very simple, but I can't find the solution by myself using just trial and error. Maybe anybody would agree to give me a hand?
What I have
- A Windows 10 PC with IP 10.41.0.100, firewall disabled
- A Pfsense virtual appliance with IP 192.168.151.2/24 "in the front", and 192.168.51.1/24 "in the back"
- virtual Network is 192.168.52.0/24, Pfsense gets 192.168.52.1, the PC gets 192.168.52.2
- There are several physical and virtual interfaces in subnet 192.168.51.0/24
- The OpenVPN connection from the PC 10.41.0.100 to the pfSense virtual appliance 192.168.151.2 works inside the OpenVPN virtual network, I can ping the pfSense on interface 192.168.52.1 and even administer it via Web-GUI.
- Packet filtering in Pfsense menu "firewall" is set to "no filtering" -> act as a router only
What I want
- reach all interfaces of 192.168.51.0/24 from that single Windows PC
Problem
- I cannot reach any interface in 192.168.51.0/24, not even the pfsense interface 192.168.51.1.
Traceroute:
When I perform a traceroute on machine 192.168.51.68 (random machine in Subnet behind pfSense) to 192.168.52.2 (virtual OpenVPN interface of the Windows PC), pfsense routes traffic via its default gateway:
Tracing route to 192.168.52.2 over a maximum of 30 hops
1 <1ms <1ms <1ms 192.168.51.1
2 <1ms <1ms <1ms 192.168.151.1
3 2ms 2ms 2ms 10.151.0.61
4 ….. default route outside company network, to the internet
When I perform a traceroute on machine 192.168.51.68 (random machine in Subnet behind pfSense) to 10.41.0.100 (physical interface of the Windows PC), the pfsense uses it's default gateway too.
Tracing route to 10.41.0.100 over a maximum of 30 hops
1 <1ms <1ms <1ms 192.168.51.1
2 <1ms <1ms <1ms 192.168.151.1
3 2ms 2ms 2ms 10.151.0.61
4 3ms 3ms 3ms 10.41.0.100
When I perform a traceroute on Windows PC with interface 10.41.0.100 and virtual interface 192.168.52.2 to random machine in subnet 192.168.51.0/24, it routes traffic to the virtual interface of the pfsense, but not further
Tracing route to 192.168.51.68 over a maximum of 30 hops
1 3ms 3ms 3ms 192.168.52.1
2 * * * Request timed out.
3 * * * Request timed out.
So it seems the pfsense doesn't route between its subnet 192.168.51.0/24 for which it is the default gateway and its openVPN virtual network.
192.168.151.1 is default gateway for traffic leaving the PFSense. 192.168.151.1 is the IP of an Interface on a Fortigate 200B Firewall Appliance. There is an IPSEC connection between both interfaces 192.168.151.1 (Fortigate) and 192.168.151.2 (PfSense), and routing is dynamic using OSPF with Quagga_OSPF talking to the Fortigate interface.
The virtual PFSense has 1 base-interface "vmx0" with a VMWare ESXi-interface tagged "vlan 4095" for "all vlans"
pfSense interface "LAN" 192.168.51.1/24 is untagged on "vmx0", 192.168.151.2/24 is tagged in vlan 500 on "vmx0".
OpenVPN is in "tun - Layer 3 Tunnel Mode"Ipv4 Routes in PFsense:
default 192.168.151.1 UGS 659 1500 vmx0.500
.
.
.
192.168.51.0/24 link#1 U 14565 1500 vmx0
192.168.51.1 link#1 UHS 0 16384 lo0
192.168.52.0/24 192.168.52.2 UGS 0 1500 ovpns1
192.168.52.1 link#23 UHS 0 16384 lo0
192.168.52.2 link#23 UH 254 1500 ovpns1
192.168.151.0/24 link#22 U 29301 1500 vmx0.500
192.168.151.2 link#22 UHS 0 16384 lo0
.
.
.PFsense Version is
2.4.1-RELEASE (amd64)
built on Sun Oct 22 17:26:33 CDT 2017
FreeBSD 11.1-RELEASE-p2I assume I do something wrong with routing since nothing goes back through the VPN tunnel, but I don't know what I'm doing wrong. What should be my next step in the troubleshooting list, could an expert help me out?
-
Asked 2 specialists and still no solution. It seems the problem is not that trivial :-(
-
can OpenVPNServer and IPSEC be used on the same interface? That's what I'm trying to do on IF vmx0.500. I guess that could be the source of the problem