Sitetosite routing problems



  • Hey guys im new here :-)

    I Have some problems with my s2s connection,

    Network A 192.168.200.0/24 non pfsense router but also openvpn
    Network B 192.168.1.0/24 pfsense router
    tunnel network 10.70.46.0/30

    the tunnelconnection is up but i cant ping from Network B to network A

    i set the fw rules to pass any

    but when i log in to pfsense shell and ping any host from network A it works on the router,

    But no Client in Network B can ping to clients in network A

    sounds like a routing problem but i cant find the answer to fix it :-/

    someone got any ideas? :-)

    Best Regards



  • @jpscirocco We need more specifics. Please post both configs (server and client). On PFsense, the OpenVPN configs are located here:

    /var/etc/openvpn
    


  • Hey Thanks for your reply,

    i can give you the client.conf, i cant give you the server.conf right now because on network A its a managed firewall and i dont have ssh access or else :-/

    dev ovpnc1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-GCM
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local ***** WAN IP here ?
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote ******* 1194
    route 192.168.200.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    ncp-ciphers BF-CBC
    comp-lzo yes
    resolv-retry infinite

    in Diag/Routes tab it has 1 entry for the remote network

    192.168.200.0/24 10.70.46.5 UGS 0 1500 ovpnc1

    anything is working fine on the pfsense on network b, i can start ftp downloads on servers in network A and so on. but no client on network b can do this on network A except the pfsense itself.

    sorry i cant give you the server.conf , i really hate managed services and maybe i will change network A router in future to pfsense



  • @jpscirocco said in Sitetosite routing problems:

    tunnel network 10.70.46.0/30

    @jpscirocco said in Sitetosite routing problems:

    192.168.200.0/24 10.70.46.5 UGS 0 1500 ovpnc1

    That gateway IP isn't part of the tunnel network. I guess there is something wrong.

    Is pfSense the default gateway in its LAN?



  • Well, there's only so much we can do without knowing what's at the headend, but right off the bat, I can see that there's no config for the tunnel network on client-side.

    As a matter of fact, this looks more like a remote access config vs. a site-to-site config. To start with, my guess is you have the server mode set to Remote Access instead of Peer to Peer.



  • Hey ive got the server.conf from our router manufacture

    server 10.70.46.0 255.255.255.0
    tls-server
    port 1194
    proto udp
    dev tun1
    ca keys/ca.crt
    cert keys/XXX.de.crt
    key keys/XXX.de.key
    dh keys/dh1024.pem
    tls-auth keys/ta.key 0
    keepalive 30 120
    comp-lzo
    user nobody
    group nobody
    persist-key
    persist-tun
    reneg-sec 0
    script-security 3
    client-connect "/XXX/bin/misc.d/vpnup"
    client-disconnect "/XXX/bin/misc.d/vpndown"
    log-append /var/log/openvpn/openvpn.server.log
    verb 3
    mute 20
    management 127.0.0.1 2323 /etc/openvpn/server-pass.txt
    client-config-dir ccd
    ccd-exclusive
    max-routes 200
    route 192.168.200.0 255.255.255.0



  • @viragomann said in Sitetosite routing problems:

    @jpscirocco said in Sitetosite routing problems:

    tunnel network 10.70.46.0/30

    @jpscirocco said in Sitetosite routing problems:

    192.168.200.0/24 10.70.46.5 UGS 0 1500 ovpnc1

    That gateway IP isn't part of the tunnel network. I guess there is something wrong.

    Is pfSense the default gateway in its LAN?

    yes pfSense is the default gateway on Network B



  • @jpscirocco
    hey
    Network A doesn't know anything about the 192.168.1.0/24
    You have the same route on both the server and the client
    192.168.200.0/24
    client side
    0_1547462137813_7806b393-b74b-4d41-8313-56cad6b8b3ef-image.png
    server side
    0_1547462176693_6e80141e-0b02-4a48-b000-0c14e2858fc7-image.png



  • hey all thanks for your help,

    i found an option in our managed firewall to add the route manually and now it works :-)

    thanks all for your help i'm happy now :-D



  • hey its me again :-) ive got one querstion appointing to this network now,

    i can setup the network b to use internet traffic from network a but it is maybe possible that just 1 client from network a uses the internet from network b ?

    the reason is because we want to put our exchange server in network b , but in network a our firewall has a mail relay with antispam.

    pfsense has no antispam with mail relay for exchange right?

    Best regards



  • pfSense is not a mail server!

    @jpscirocco said in Sitetosite routing problems:

    but it is maybe possible that just 1 client from network a uses the internet from network b ?

    If your router at site A is capable of doing this, it would work. Since it is not pfSense, this is the wrong place to ask that.


Log in to reply