Gateway Issue or DNS issue



  • This is my first post, so hopefully I have provided all the relevant information needed to help to resolve the issue I have. If any further info is required, please ask.

    I'm setting up an OpenVPN server for the company I work for. Everything went smoothly enough setting up, but I think I have a gateway issue but can't figure out how or why

    I'm running on pfSense 2.4.2-RELEASE-p1

    Attached is a route print with redirect-gateway def1 added to the config.

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask                Gateway          Interface        Metric
    0.0.0.0                          0.0.0.0                  192.168.1.1    192.168.1.16  20
    0.0.0.0                          128.0.0.0              192.168.2.1    192.168.2.2    276
    192.168.2.0                    255.255.255.0      On-link            192.168.2.2    276
    192.168.2.2                    255.255.255.255    On-link          192.168.2.2    276
    192.168.2.255                255.255.255.255    On-link            192.168.2.2    276
    10.25.1.0                      255.255.252.0        192.168.2.1    192.168.2.2    276
    A.B.C.D                          255.255.255.255    192.168.1.1    192.168.1.16    276
    127.0.0.0                      255.0.0.0              On-link            127.0.0.1        306
    127.0.0.1                      255.255.255.255    On-link            127.0.0.1        306
    127.255.255.255            255.255.255.255    On-link            127.0.0.1        306
    128.0.0.0                      128.0.0.0              192.168.2.1    192.168.2.2    276
    192.168.1.0                    255.255.255.0      On-link            192.168.1.16    276
    192.168.1.16                  255.255.255.255    On-link            192.168.1.16    276
    192.168.1.255                255.255.255.255    On-link            192.168.1.16    276
    192.168.56.0                  255.255.255.0      On-link            192.168.56.1    266
    192.168.56.1                  255.255.255.255  On-link            192.168.56.1    266
    192.168.56.255              255.255.255.255    On-link            192.168.56.1    266
    224.0.0.0                      240.0.0.0              On-link            127.0.0.1        306
    224.0.0.0                      240.0.0.0              On-link            192.168.56.1    266
    224.0.0.0                      240.0.0.0              On-link            192.168.2.2      276
    224.0.0.0                      240.0.0.0              On-link            192.168.1.16    276
    255.255.255.255            255.255.255.255    On-link            127.0.0.1        306
    255.255.255.255            255.255.255.255    On-link            192.168.56.1  266
    255.255.255. 255            255.255.255.255  On-link            192.168.2.2    276
    255.255.255.255            255.255.255.255    On-link            192.168.1.16    276

    Persistent Routes:
      None

    A trace route to an internal IP of a webserver on the lan is fine:

    1    9 ms    10 ms    10 ms  192.168.2.1
      2    10 ms    12 ms    15 ms  10.25.3.100

    A trace route to Google doesn't get past the VPN gateway:

    Tracing route to google.com [216.58.206.142]
    over a maximum of 30 hops:

    1    9 ms    9 ms    9 ms  192.168.2.1
      2    *        *        *    Request timed out.
      3    *        *        *    Request timed out.
      4    *        *        *    Request timed out.
      5    *        *        *    Request timed out.
      6    *        *        *    Request timed out.
      7    *        *        *    Request timed out.
      8    *        *        *    Request timed out.
      9    *        *        *    Request timed out.
    10    *        *        *    Request timed out.

    If I go to any internal or external website I lose the VPN connection.

    My company Lan network is 10.25.1.0/22 with the following:

    Gateway: 10.25.2.5
    DHCP:    10.25.1.63
    DNS 1:  10.25.1.53
    DNS 2:  10.25.2.52

    On a side note, I can't resolve DNS over the VPN but can on the local network although this may still be related to the gateway issue.

    Thanks

    Rob



  • I think I've now narrowed down the issue but I'm not sure how to resolve it.

    If I do a Trace Route in the pfSense GUI on the WAN interface, I get back the route information I would expect, however if I do the same on the LAN or OPENVPN interface it stops at the first hop (the lan gateway address).

    DNS is provided by the AD server on 10.25.1.53 but for some reason the LAN interface (and OVPN) cannot resolve this DNS.

    Can anyone tell me what I'm missing.

    Rob.



  • Please, give detailed information.

    What is the WAN IP of pfSense? Is it public?
    What is the LAN IP?

    @RobTech:

    If I do a Trace Route in the pfSense GUI on the WAN interface, I get back the route information I would expect, however if I do the same on the LAN or OPENVPN interface it stops at the first hop (the lan gateway address).

    Please post these outputs.

    Is pfSense the default gateway in the companies LAN?

    The routing table above is taken from a Windows client connected to the OpenVPN server via internet?

    What's your outbound NAT settings?



  • Sorry for the delay in getting back to you. I can try and explain exactly the setup I have but a diagram would be better. I'll see if I can create one later today.

    However the setup is as follows. The internet connection that comes into our building is one of 10 external IP addresses we have. These go into a Cyberoam Firewall. One of these IP addresses gets mapped to a specific LAN port on the Cyberoam firewall which the pfSense Wan connection connects to. The Lan port on the pfSense box connects to a network switch on the internal LAN.

    My company won't allow me to publicize the external IP addresses we use so I'll use 1.1.1.1 for the sake of explanation. Here is how it's setup:

    Cyberoam - WAN 1.1.1.1- LAN Port G - 192.168.1.254
    pfSense - WAN 192.168.1.1  - LAN 10.25.1.240

    LAN IP on pfSense is obtained via DHCP (Reserved) from a Windows 2012 server.

    The default gateway is not pfSense. All services AD, DNS, DHCP are all handled by Windows 2012 on the internal LAN.
    Internal LAN is 10.25.1.0/22 - 255.255.252.0, Gateway: 10.25.2.5.

    The routing table is taken from a Windows client connected to the OpenVPN server via internet.

    Outbound NAT is set to automatic with the following rules:

    WAN 127.0.0.0/8 192.168.2.0/24 * * 500 WAN address * Auto created rule for ISAKMP
    WAN 127.0.0.0/8 192.168.2.0/24 * * * WAN address * Auto created rule
    LAN 127.0.0.0/8 192.168.2.0/24 * * 500 LAN address * Auto created rule for ISAKMP
    LAN 127.0.0.0/8 192.168.2.0/24 * * * LAN address * Auto created rule

    My intention is to eventually convince my employer to drop Cyberoam and use pfSense instead but small steps first.

    If you need any further information or clarification please let me know.

    Thanks,

    Rob.


  • LAYER 8 Global Moderator

    Why would LAN have outbound nat?  You set a gateway on your LAN… Which is borked.. Only WANS have gateways set..



  • Hi,

    That certainly makes sense. I'm not sure what I have done to cause auto generated outbound NAT rules to be created that include LAN in them. Can you offer any advice on why this might have happened and how I'd go about removing these references.

    Am I right in that I should expect to see 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 in the automatic Rules?
    Thanks,

    Rob.


  • LAYER 8 Global Moderator

    What is the setup on your other interfaces other than your wan..  These 192.168.1/24 and 192.168.2/24 networks

    0.0.0.0                          0.0.0.0                  192.168.1.1    192.168.1.16  20
    0.0.0.0                          128.0.0.0              192.168.2.1    192.168.2.2    276

    LAN IP on pfSense is obtained via DHCP (Reserved) from a Windows 2012 server.
    Huh??

    Please draw up your network… What exactly do you want pfsense to do?  Its "lan" interfaces should not be dhcp...



  • I'll do a diagram because it will likely explain it far better.

    The very short version of what I want to achieve is as follows:

    We have an internal domain network and want to attach a pfSense box to this network. The LAN connection will connect to the local network and the WAN connection to the internet, and then use OpenVPN to allow full network access including resolving host names to VPN clients. IP addresses are assigned by the internal LAN and not the pfSense box.

    Thanks again for your guidance.

    Rob.



  • @RobTech:

    I'm not sure what I have done to cause auto generated outbound NAT rules to be created that include LAN in them. Can you offer any advice on why this might have happened and how I'd go about removing these references.

    There should not be set a gateway on interfaces connected to local networks, as long as there is no particular reason for that.
    The LAN interface should be configured with a static IP not by DHCP.

    Since the pfSense is not your default gateway in the LAN, you either have to set a static route on each LAN device you want to reach via vpn to direct vpn responses back to pfSense, or you have to set an outbound NAT rule on to LAN interface to translate source address of vpn packets to the LAN address when they go out to LAN network. So responses are directed back to pfSense.
    The NAT solution may be easier to set up, but has the drawback, that you're not able to determine the true vpn client on the destination device.

    The best way is to run the vpn server on the default gateway. Alternatively you may set up an transit network between the default gateway and pfSense.


  • LAYER 8 Global Moderator

    If there is going to be some other default gateway on what amounts to pfsense "lan" with clients on it - but they need to go through pfsense to get somewhere you most likely are going to run into asymmetrical issues.

    If there is a router downstream of pfsense, and pfsense will be a "gateway" to get to some other network, then pfsense should be connected to this downstream network via a transit network, not a network with hosts on it, etc.



  • I've now managed to create a diagram, hopefully this will explain better:

    I'll have to look at what a transit network is though, as I'm not familiar with the term.

    Thanks,

    Rob.




  • I have a misprint on diagram. The workstation IP range is 10.25.1.1 - 10.25.4.253

    Rob.


  • LAYER 8 Global Moderator

    where is this 192.168.2 network in that drawing?

    192.168.2 is your openvpn tunnel network – how would that create an outbound nat on your LAN??

    See my attachment the 10.0.8 and 10.0.200 are my 2 vpn tunnel networks... The outbound nat is on the WAN..



Log in to reply