Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Unable to pass traffic from local network to one of two remote networks under OpenVPN

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 881 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • SipriusPTS
      SipriusPT
      last edited by SipriusPT

      Hello,

      I have an OpenVPN working from site to site, where I can communicate without problem from a local network 10.0.0.0/24 to the remote network 10.0.10.0/24, unless the network who is connected to WAN port (192.168.1.0/24) of the pfSense who is making the VPN.

      This is the scenario:

      0_1536057740123_Screenshot_7.jpg

      Where I am able to communicate from 10.0.0.100 with 10.0.10.100 and from OpenVPN Connection A interface to 192.168.1.100. If I try to communicate from 10.0.0.100 to 192.168.1.100 I am unable to let traffic pass. I have the server OpenVPN Connection A, configured to route all 10.0.10.0/24 and 192.168.1.0/24 to VPN Tunnel:

      0_1536060013909_b577a5c7-5478-45ec-834c-81152b85157e-image.png

      Now, I was expecting that it would route for both 10.0.10.0/24 and 192.168.1.0/24 from 10.0.0.0/24, but it doesnt, and I dont have any rule for the source interface to reject or block traffic to 192.168.1.0/24.

      Do you know a way where I could set 10.0.0.0/24 to communicate with 192.168.1.0/24?

      Thanks!

      1xSG-4860-1U
      1xSG-3100
      2xpfSense Virtual Machines

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Since there are two routers at site B, I presume the WAN network 192.168.1.0/24 doesn't use the pfSense which establishes the VPN as default gateway.
        So you will have to add a static route to 192.168.1.100 for the remote network 10.0.0.0/24 pointing to pfSense interface IP.

        1 Reply Last reply Reply Quote 1
        • SipriusPTS
          SipriusPT
          last edited by

          Thanks for the response viragomann.

          Not sure if I have understood but I have already an entrie at remote networks in OpenVPN Connection A server for 192.168.1.0/24, and I can communicate from that server to that network.

          "Never add static routes for networks reachable via OpenVPN. Such routes are managed by OpenVPN itself using Remote Network definitions, not static routes."

          https://www.netgate.com/docs/pfsense/routing/static-routes.html

          And in static route options I am unable to set source network, just destination network is available.

          Can you be more specific please?

          1xSG-4860-1U
          1xSG-3100
          2xpfSense Virtual Machines

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            The quoted massage ""Never add static routes ..." refers to pfSense itself.
            In your case the static route has to be added to another device.

            Assumed that the outbound NAT of pfSense on site B is in automatic mode, there will exist a rule for the VPN tunnel subnet on WAN interface translating sources to WAN addresss. Therefor you can access 192.168.1.100 from sites A OpenVPN interface, cause its part of the tunnel network.

            If you don't want to add the static route to the device you can also resolve this by adding an additional outbound NAT rule to sites B pfSense WAN interface for the source 10.0.0.0/24.

            1 Reply Last reply Reply Quote 1
            • SipriusPTS
              SipriusPT
              last edited by SipriusPT

              I forgot to say but the primary router of side B, is a Technicolor TG789vac, where the OS is very limited, its a home router. Its just used as an uplink.

              On Side B NAT is in Hybrid Outbound NAT, I have a Map there for a device.

              I have already did that but I notice now that by mistake I have choosen LAN interface instead of WAN for "matched as it exits the firewall"....

              0_1536142695487_Screenshot_8.jpg

              Now its working!

              Thanks for the help one more time viragomann!!

              PS. If some moderator could move this thread to NAT forum group, would be great, thanks!

              1xSG-4860-1U
              1xSG-3100
              2xpfSense Virtual Machines

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by viragomann

                No, that’s basically a routing issue.
                You got no response from the device cause it has no route to the site A LAN. So it sent response packets to its default gateway instead of pfSense.

                However, this can also be resolved by NAT. The NAT rule tranlates the source addresses in request-packets into pfSense WAN interface address. So responses are sent back to pfSense.
                The backdraw of NAT is that you‘re not able to determine where the request comes from on the dest device, cause any requests from site A has the pfSense interface address as source.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.