Routing between LAN, OPT1, and IPSEC VPN



  • Ok, I actually think I figured this one out but I wanted to check my thinking here before I make the proposal to my boss. Here is the network setup:

    Main office                                                          Branch Office
    192.168.1.0/24 – IPSec VPN -- WAN -- IPSec VPN -- 192.168.2.0/24
                                                                              |_
                                                                                OPT1
                                                                                192.168.50.0/24

    Now, I do have many other IPSec VPNs coming from the main office to other offices but all the other offices only have a single subnet. In order to get all the offices to connect to each other the main office IPSec VPN is: Local Net: 192.168.0.0/16
    while all remote sites have
    Remote Net: 192.168.0.0/16

    This works great an all sites can now communicate to each other.

    The problem I had was that on the Branch office, the 192.168.50.0/24 subnet cannot connect to the 192.168.2.0/24 subnet. I also can't connect to it from the main office. I have firewall rules in place allowing 192.168.2.0/24 to connect to 192.168.50.0/24 but when watching the traffic with PFTop, nothing is even making it there to be blocked.

    My final theory is that because the VPN is set to send traffic bound for 192.168.0.0/16 then it is picking up all traffic bound for 192.168.50.0/24 before it gets any further and so it is sent down the VPN tunnel at which point it must get lost because on the main VPN box it has a static route pointing 192.168.50.0/24 to 192.168.2.1.

    So, in this case I was thinking the only way for me to get this working is to change the 192.168.50.0/24 to something different like a 10.0.1.0/24 and that way it would not get picked up by the VPN. I cannot test this during normal hours of course because the network is being used. Am I headed down the right path here or am I missing something else?

    Thanks for your time.



  • Ok, so now I'm thinking that assigning that network to a 10.0.1.0/24 will work for computers coming from the 192.168.2.0/24 network but not for others on the other subnets. I determined this while working on setting up ISA Server for our client VPN connections.

    If I try to set a static route in pfSense for 10.0.1.0/24 -> 192.168.2.1 I see errors in the logs saying that it can't find 192.168.2.1 because it's not on the LAN subnet which is true. It's located over the VPN tunnel. Is there a way to point a route down that tunnel that is not on the 192.168.0.0/16 range?

    The other issue is that I know my linksys BEFVP41 routers will not send anything down the VPN tunnel unless it matches an address set in the remote network for the tunnel which is 192.168.0.0. That's how I got them to all communicate together in the first place. So for them to be able to reach the network off of OPT1, it would seem it needs to be a subnet somewhere in 192.168.x.x. My head is going around in circles thinking about this.



  • Mate, I'm in the same boat sort of…

    I saw your post and it made me think that I may be seeing the same issues as you...

    I have one WAN connection and three local subnets and for some bizarre reason I cannot get the main LAN subnet to talk to any devices on the WLAN or DMZ subnets.

    _DMZ (192.168.1.0/24)
                              |
                              |
    WAN-------PFSENSE--LAN (192.168.1.0/24)
                              |
                              |_WLAN (192.168.122.0/24)

    The firewall can ping the devices on all three local networks. All three networks can talk to internet via the WAN interface.

    The only rules in place are
    SRC:LAN/DMZ/WLAN
    SRC_Port:any
    DEST:ANY
    Dest_port:ANY

    I've added logging to three rules and I can see the traffic being allowed but it doesn't appear to be going anywhere.

    Now I do have OpenVPN running.

    The client is given an IP dynamically from the 10.0.12.0/24 network and VPN traffic is directed to the LAN 192.168.123.0/24 network...

    I'm running 1.2.2 but now you have me thinking about the VPN configuration interfering with this inter-LAN traffic.

    I've even set up a VM on my server, given it 4 nics and tested once configured and then run a restore from the 'live' machine onto the VM and had everything stop working...

    I removed all the packages, stripped out all the port forwards, took the config back as far as I could but I didn't touch the VPN.....

    I'll give this a try and I'll let you know what I get...



  • @jhowel:

    _DMZ (192.168.1.0/24)
                               |
                               |
    WAN–-----PFSENSE--LAN (192.168.1.0/24)
                               |
                               |_WLAN (192.168.122.0/24)

    Do you really mean your DMZ and LAN are on 192.168.1.0/24 subnets?

    Since your VPN is not in a similar numerical range I'm not sure it would be the exact same problem but I'm interested to hear what you find. I'm not really getting anywhere on this for now.

    I think even if I keep my OPT1 network on a 192.168.x.x/24 subnet it seems anything that hits 192.168.2.1 on the LAN side destined for anything that falls under the 192.168.0.0/16 range will immediately be sent back up the VPN and not routed internally. I'd like to know if there is something fundamentally wrong with my setup and if I need to come at this from a different angle. Getting quite frustrating.



  • @jhowel:


    I have one WAN connection and three local subnets and for some bizarre reason I cannot get the main LAN subnet to talk to any devices on the WLAN or DMZ subnets.

    _DMZ (192.168.1.0/24)
                              |
                              |
    WAN-------PFSENSE--LAN (192.168.1.0/24)
                              |
                              |_WLAN (192.168.122.0/24)

    ...

    Your DMZ and LAN are using the same subnet, so that will mess things up. You need to have different subnets for each segment.



  • Sorry that was a typo:

    _DMZ (192.168.1.0/24)
                              |
                              |
    WAN–-----PFSENSE--LAN (192.168.123.0/24)
                              |
                              |_WLAN (192.168.122.0/24)



  • jhowel,
    Check your firewall settings. They should look something like the attached.
    With those settings I am able to ping any host on the Wifi net from the LAN. Don't forget to enable ICMP pass though on the hosts to ensure the local firewall does not block ping.

    EDIT: Attached is the GUI config of my Wifi so that I can 'talk' to LAN hosts.





Log in to reply