Routing problem with roadwarriors to alternative WAN interface (solved)

StefanSander · Feb 26, 2009, 1:15 AM

Hello community,

i have the following problem i can't solve by myself.

My pfsense has 2 WAN Interfaces, one default gateway to our ISP and a second one directly to
our customer. The WAN Interface to our customer is accessed through static routes i configured on
the pfsense.

From my LAN it is possible to access internet and the customer network without any problems.

What i can't get right is, that my roadwarriors are also able to access the customer network.
It seems that the dynamical adresses from ovpn are somehow not aware of my static routes
and the gateway leading to these networks. I tried to push the networks to my roadwarriors,
but since i can't tell them which gw to use (at least i didn't found a way to do this for a specific route)
it does not work.

Can anyone help me on this? Maybe i am missing something trivial? Is this kind of routing
possible at all?

Thanks a lot in advantage.

GruensFroeschli · Feb 20, 2009, 12:42 PM

This should work if you push the right routes to your connecting ovpn clients.
Can post here the custom commands you added when you tried that?

The gateway for the ovpn clients is the pfSense itself.
But since the ovpn clients dont even know about the additional networks in the first place they never send anything to the pfSense.

StefanSander · Feb 20, 2009, 1:55 PM

First: thanks a lot for helping me.

On my pfsense i have several of my customer networks mapped as static routes (as i said this works fine
from my LAN). These networks are for example:

160.70.0.0/16

I tried to push these to my ovpn roadwarriors like this:
push "route 160.70.0.0 255.255.0.0";

relevant "netstat -r" entry on a roadwarrior:
160.70.0.0 255.255.0.0 192.168.13.5 192.168.13.6 1

my fw allows traffic from 192.168.13.0 (the dynamic ovpn nework) to my customer WAN-Interface.

Thanks in advantage.

GruensFroeschli · Feb 20, 2009, 2:40 PM

Does your other side also know that the openVPN subnet is reachable through the pfSense?

StefanSander · Feb 20, 2009, 4:28 PM

damn good point… i always expected that, but you are right, a will have to doublechek this.

Thanks for the hint.

GruensFroeschli · Feb 20, 2009, 4:09 PM

Alternatively you could enable advanced outbound NAT and NAT your openVPN subnet.
Of course you loose the ability to find out "who" is accessing something, but if you cannot get it to work otherwise it would be a solution.

StefanSander · Feb 20, 2009, 4:28 PM

ok thx.

just that i get it right:

AON means that i NAT my 192.168.13.x to the WAN2 IP-adress of my pfsense pointing to my customer?
Is that correct?

Also, if i enable AON i have to do this for all internal networks and tunnels i have, correct?

Thanks again for your time.

GruensFroeschli · Feb 20, 2009, 4:31 PM

The AoN rules are bit like the firewall rules.
You specify criteria (source, destination) and if they are matched the traffic will be NATed to the interface/VIP you configured.

So you basically would need a rule for each interface you have:

Interface: WAN
Source: 192.168.13.x/24
Destination: any
NAT-IP: WAN-address

Interface: WAN2
Source: 192.168.13.x/24
Destination: any
NAT-IP: WAN2-address

Interface: WAN3
Source: 192.168.13.x/24
Destination: any
NAT-IP: WAN3-address

StefanSander · Feb 25, 2009, 1:33 PM

ok, i have recently spoken with the customer service, and the router to our customer
accepts only one IP adress from our site (so everything seems to be NATed by default
from pfsense if i see this right).

The OVPN network for roadwarrior and our tunnel still can't connect, so i assume
that this is not done automatically from pfsense in this case (no NAT Rules active).

Can someone please explain why it is like this? Shouldn't the ovpn networks be
seen like a "normal" LAN so that NAT works by default and the static routes too?

Another question, can i use AON only for these two networks or do i have
do disable the automatic NAT completly for this?

many thanks again.

GruensFroeschli · Feb 25, 2009, 3:26 PM

pfSense doesnt NAT the openVPN-subnet per default.
http://forum.pfsense.org/index.php/topic,7001.0.html the red part.
Because the tun interface currently doesnt show up as an "interface".
The same reason why you cannot create firewallrules for the openVPN subnet.

No you cannot enable AoN only for one subnet.
But what you can do is create an AoN rule that doesnt care about the source/destionation/etc.

ie:
Interface: WAN
Source: any
Destination: any
NAT-IP: WAN-address

Interface: WAN2
Source: any
Destination: any
NAT-IP: WAN2-address

Interface: WAN3
Source: any
Destination: any
NAT-IP: WAN3-address

Like this you NAT any traffic from anywhere if it leaves via one of the interfaces specified in the rule(s).

StefanSander · Feb 25, 2009, 8:28 PM

thanks a lot for clearifing, i will try AON rules as suggested then.

StefanSander · Feb 26, 2009, 1:16 AM

AON works as expected, thanks again for your help.