OPENVPN INTERSITE MULTI GATEWAY



  • HI
    I need to connect two site using two pfsense and open vpn site to site peer key but i got one difficulty as the LAN side is managed by an other gateway.

    TO resume i got :

    SITE A:
    1 TSE SERVER IP : 10.10.10.250 connected to pfsense 10.10.10.253 and using specific gateway as WAN

    SITE B:

    one LAN 192.168.5.0/24 connected to a specific gateway (ADSL modem) 192.168.5.254 that i am not allowed to used for routing my vpn .

    Then i add another modem as second gateway and one pfsense.

    My pfsense got the second gateway as WAN and got lan interface connected to LAN switch as 192.168.5.253.

    I also add route on machine :
    route -p add 10.10.10.0 mask 255.255.255.0 192.168.5.253

    Openvpn is up and machine can connect t server 10.10.10.250

    BUT i am not able to reach printer in the LAN SITE of SITE B from SERVER 10.10.10.250.

    From SERVER 10.10.10.250 i was able to ping 192.168.5.253 (pfsense of SITE B) but not printer (192.168.5.200)

    If i try ping from pfsense of SITE B with source LAN ping works , but if i try ping from open vPN it s not working .

    I suspect that i add to add a reoute somewhere in pfsense Site B but i am a litlle bit lost .

    Any advice ???



  • I make some progress and i think i found the issue but don't know how to resolve.

    From my point of view when server in site A (10.10.10.250) send packet to printer in site B (192.168.5.) , the packet arrive to printer but when printer want to respond printer contact its gateway 192,168.5.254 and not the pfsense (192.168.5.253).

    I am quite sure that i have to work with Firewall/NAT/Outbound and i saw some note on it https://forum.netgate.com/topic/101506/solved-openvpn-routing-and-nat-rules-single-wan-dual-lan/3

    but i tried and it s not working.

    I probably not creating the rule correctly

    what i made

    In pfsense Site B
    Firewall > NAT > Outbound
    Mark "Hybrid rule generation" and hit save.

    Then add this rule:

    interface = LAN
    Protocol = any
    Source = Network 10.12.101.0/27 (the vpn tunnel between site A and B)
    Destination = any
    Translation = Interface address

    I also perfomr a packet cpature on lan interface and i saw icmp coming form 10.10.10.250 > 192.168.5.200 but don't know if nat is working ..



  • The source network in the rule has to be the LAN of site A in your case, since it is a site-to-site.



  • Thanks you very much you save my day ;)

    I worked on it for few hours now and the solution was in fact very simple