• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Routing problem with roadwarriors to alternative WAN interface (solved)

Scheduled Pinned Locked Moved OpenVPN
12 Posts 2 Posters 4.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    StefanSander
    last edited by Feb 26, 2009, 1:15 AM Feb 19, 2009, 5:39 PM

    Hello community,

    i have the following problem i can't solve by myself.

    My pfsense has 2 WAN Interfaces, one default gateway to our ISP and a second one directly to
    our customer. The WAN Interface to our customer is accessed through static routes i configured on
    the pfsense.

    From my LAN it is possible to access internet and the customer network without any problems.

    What i can't get right is, that my roadwarriors are also able to access the customer network.
    It seems that the dynamical adresses from ovpn are somehow not aware of my static routes
    and the gateway leading to these networks. I tried to push the networks to my roadwarriors,
    but since i can't tell them which gw to use (at least i didn't found a way to do this for a specific route)
    it does not work.

    Can anyone help me on this? Maybe i am missing something trivial? Is this kind of routing
    possible at all?

    Thanks a lot in advantage.

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Feb 20, 2009, 12:42 PM

      This should work if you push the right routes to your connecting ovpn clients.
      Can post here the custom commands you added when you tried that?

      The gateway for the ovpn clients is the pfSense itself.
      But since the ovpn clients dont even know about the additional networks in the first place they never send anything to the pfSense.

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • S
        StefanSander
        last edited by Feb 20, 2009, 1:55 PM

        First: thanks a lot for helping me.

        On my pfsense i have several of my customer networks mapped as static routes (as i said this works fine
        from my LAN). These networks are for example:

        160.70.0.0/16

        I tried to push these to my ovpn roadwarriors like this:
        push "route 160.70.0.0 255.255.0.0";

        relevant "netstat -r" entry on a roadwarrior:
        160.70.0.0      255.255.0.0    192.168.13.5    192.168.13.6   1

        my fw allows traffic from 192.168.13.0 (the dynamic ovpn nework) to my customer WAN-Interface.

        Thanks in advantage.

        1 Reply Last reply Reply Quote 0
        • G
          GruensFroeschli
          last edited by Feb 20, 2009, 2:40 PM

          Does your other side also know that the openVPN subnet is reachable through the pfSense?

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • S
            StefanSander
            last edited by Feb 20, 2009, 4:28 PM Feb 20, 2009, 3:31 PM

            damn good point… i always expected that, but you are right, a will have to doublechek this.

            Thanks for the hint.

            1 Reply Last reply Reply Quote 0
            • G
              GruensFroeschli
              last edited by Feb 20, 2009, 4:09 PM

              Alternatively you could enable advanced outbound NAT and NAT your openVPN subnet.
              Of course you loose the ability to find out "who" is accessing something, but if you cannot get it to work otherwise it would be a solution.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • S
                StefanSander
                last edited by Feb 20, 2009, 4:28 PM

                ok thx.

                just that i get it right:

                AON means that i NAT my 192.168.13.x to the WAN2 IP-adress of my pfsense pointing to my customer?
                Is that correct?

                Also, if i enable AON i have to do this for all internal networks and tunnels i have, correct?

                Thanks again for your time.

                1 Reply Last reply Reply Quote 0
                • G
                  GruensFroeschli
                  last edited by Feb 20, 2009, 4:31 PM

                  The AoN rules are bit like the firewall rules.
                  You specify criteria (source, destination) and if they are matched the traffic will be NATed to the interface/VIP you configured.

                  So you basically would need a rule for each interface you have:

                  Interface: WAN
                  Source: 192.168.13.x/24
                  Destination: any
                  NAT-IP: WAN-address

                  Interface: WAN2
                  Source: 192.168.13.x/24
                  Destination: any
                  NAT-IP: WAN2-address

                  Interface: WAN3
                  Source: 192.168.13.x/24
                  Destination: any
                  NAT-IP: WAN3-address

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • S
                    StefanSander
                    last edited by Feb 25, 2009, 1:33 PM

                    ok, i have recently spoken with the customer service, and the router to our customer
                    accepts only one IP adress from our site (so everything seems to be NATed by default
                    from pfsense if i see this right).

                    The OVPN network for roadwarrior and our tunnel still can't connect, so i assume
                    that this is not done automatically from pfsense in this case (no NAT Rules active).

                    Can someone please explain why it is like this? Shouldn't the ovpn networks be
                    seen like a "normal" LAN so that NAT works by default and the static routes too?

                    Another question, can i use AON only for these two networks or do i have
                    do disable the automatic NAT completly for this?

                    many thanks again.

                    1 Reply Last reply Reply Quote 0
                    • G
                      GruensFroeschli
                      last edited by Feb 25, 2009, 3:26 PM

                      pfSense doesnt NAT the openVPN-subnet per default.
                      http://forum.pfsense.org/index.php/topic,7001.0.html the red part.
                      Because the tun interface currently doesnt show up as an "interface".
                      The same reason why you cannot create firewallrules for the openVPN subnet.

                      No you cannot enable AoN only for one subnet.
                      But what you can do is create an AoN rule that doesnt care about the source/destionation/etc.

                      ie:
                      Interface: WAN
                      Source: any
                      Destination: any
                      NAT-IP: WAN-address

                      Interface: WAN2
                      Source: any
                      Destination: any
                      NAT-IP: WAN2-address

                      Interface: WAN3
                      Source: any
                      Destination: any
                      NAT-IP: WAN3-address

                      Like this you NAT any traffic from anywhere if it leaves via one of the interfaces specified in the rule(s).

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • S
                        StefanSander
                        last edited by Feb 25, 2009, 8:28 PM

                        thanks a lot for clearifing, i will try AON rules as suggested then.

                        1 Reply Last reply Reply Quote 0
                        • S
                          StefanSander
                          last edited by Feb 26, 2009, 1:16 AM

                          AON works as expected, thanks again for your help.

                          1 Reply Last reply Reply Quote 0
                          12 out of 12
                          • First post
                            12/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received