Routing problem with roadwarriors to alternative WAN interface (solved)



  • Hello community,

    i have the following problem i can't solve by myself.

    My pfsense has 2 WAN Interfaces, one default gateway to our ISP and a second one directly to
    our customer. The WAN Interface to our customer is accessed through static routes i configured on
    the pfsense.

    From my LAN it is possible to access internet and the customer network without any problems.

    What i can't get right is, that my roadwarriors are also able to access the customer network.
    It seems that the dynamical adresses from ovpn are somehow not aware of my static routes
    and the gateway leading to these networks. I tried to push the networks to my roadwarriors,
    but since i can't tell them which gw to use (at least i didn't found a way to do this for a specific route)
    it does not work.

    Can anyone help me on this? Maybe i am missing something trivial? Is this kind of routing
    possible at all?

    Thanks a lot in advantage.



  • This should work if you push the right routes to your connecting ovpn clients.
    Can post here the custom commands you added when you tried that?

    The gateway for the ovpn clients is the pfSense itself.
    But since the ovpn clients dont even know about the additional networks in the first place they never send anything to the pfSense.



  • First: thanks a lot for helping me.

    On my pfsense i have several of my customer networks mapped as static routes (as i said this works fine
    from my LAN). These networks are for example:

    160.70.0.0/16

    I tried to push these to my ovpn roadwarriors like this:
    push "route 160.70.0.0 255.255.0.0";

    relevant "netstat -r" entry on a roadwarrior:
    160.70.0.0      255.255.0.0    192.168.13.5    192.168.13.6   1

    my fw allows traffic from 192.168.13.0 (the dynamic ovpn nework) to my customer WAN-Interface.

    Thanks in advantage.



  • Does your other side also know that the openVPN subnet is reachable through the pfSense?



  • damn good point… i always expected that, but you are right, a will have to doublechek this.

    Thanks for the hint.



  • Alternatively you could enable advanced outbound NAT and NAT your openVPN subnet.
    Of course you loose the ability to find out "who" is accessing something, but if you cannot get it to work otherwise it would be a solution.



  • ok thx.

    just that i get it right:

    AON means that i NAT my 192.168.13.x to the WAN2 IP-adress of my pfsense pointing to my customer?
    Is that correct?

    Also, if i enable AON i have to do this for all internal networks and tunnels i have, correct?

    Thanks again for your time.



  • The AoN rules are bit like the firewall rules.
    You specify criteria (source, destination) and if they are matched the traffic will be NATed to the interface/VIP you configured.

    So you basically would need a rule for each interface you have:

    Interface: WAN
    Source: 192.168.13.x/24
    Destination: any
    NAT-IP: WAN-address

    Interface: WAN2
    Source: 192.168.13.x/24
    Destination: any
    NAT-IP: WAN2-address

    Interface: WAN3
    Source: 192.168.13.x/24
    Destination: any
    NAT-IP: WAN3-address



  • ok, i have recently spoken with the customer service, and the router to our customer
    accepts only one IP adress from our site (so everything seems to be NATed by default
    from pfsense if i see this right).

    The OVPN network for roadwarrior and our tunnel still can't connect, so i assume
    that this is not done automatically from pfsense in this case (no NAT Rules active).

    Can someone please explain why it is like this? Shouldn't the ovpn networks be
    seen like a "normal" LAN so that NAT works by default and the static routes too?

    Another question, can i use AON only for these two networks or do i have
    do disable the automatic NAT completly for this?

    many thanks again.



  • pfSense doesnt NAT the openVPN-subnet per default.
    http://forum.pfsense.org/index.php/topic,7001.0.html the red part.
    Because the tun interface currently doesnt show up as an "interface".
    The same reason why you cannot create firewallrules for the openVPN subnet.

    No you cannot enable AoN only for one subnet.
    But what you can do is create an AoN rule that doesnt care about the source/destionation/etc.

    ie:
    Interface: WAN
    Source: any
    Destination: any
    NAT-IP: WAN-address

    Interface: WAN2
    Source: any
    Destination: any
    NAT-IP: WAN2-address

    Interface: WAN3
    Source: any
    Destination: any
    NAT-IP: WAN3-address

    Like this you NAT any traffic from anywhere if it leaves via one of the interfaces specified in the rule(s).



  • thanks a lot for clearifing, i will try AON rules as suggested then.



  • AON works as expected, thanks again for your help.


Log in to reply