Site to Site to Site Not working



  • I have 3 pfSense Systems with following LAN IPs:

    • Site 1: 172.16.10.1/24
      • OpenVPN Client to Site 2
        • Tunnel Network: 172.16.220.8/30
        • Remote Networks: 172.16.11.0/24,192.168.1.0/24
    • Site 2: 172.16.11.1/24
      • OpenVPN Server for Site 1
        • Tunnel Network: 172.16.220.8/30
        • Remote Networks: 172.16.10.0/24
      • OpenVPN Server for Site 3
        • Tunnel Network: 172.16.220.4/30
        • Remote Networks: 192.168.1.0/24
    • Site 3: 192.168.1.1/24
      • OpenVPN Client to Site 2
        • Tunnel Network: 172.16.220.4/30
        • Remote Networks: 172.16.11.0/24,172.16.10.0/24

    To simplifying debugging, I have created a rule on each site's OpenVPN interface to permit any IP traffic from any source to any destination.

    Site 1 can ping Site 2 but not Site 3
    Site 2 can ping both Site 1 and Site 2
    Site 3 can ping Site 2 but not Site 1

    Is it not possible for pfSense / OpenVPN to route between different OpenVPN servers?



  • @omber I do it all over the place. I do not assign my any interface to my openvpn instances though.

    What do the rules on the actual interfaces look like? You would have a rule for the interface and the openvpn instance.



  • You probably need to add static routes for each of the non-connected routers otherwise pfsense is going to use the default gateway unless you running a routing protocol between the routers but then you will probably need to setup a GRE interface on all the routers.



  • @mikeisfly nope he shouldn't have to. I make this work at several locations without anything special.



  • @chpalmer

    "I do not assign my any interface to my openvpn instances though."

    I don't understand this statement, can you please elaborate?

    "What do the rules on the actual interfaces look like? You would have a rule for the interface and the openvpn instance."

    My LAN interfaces have default permit IPv4 to Any rule.

    @mikeisfly

    To add a static route in pfSense, I must first add a Gateway. However when creating Gateways, the OpenVPN is not a listed as interface through which the Gateway can be reached, only LAN and WAN interfaces are listed.



  • @omber are your openvpn instances assigned to an interface?



  • @chpalmer Yes they are tied to the WAN interface. Should I change them to use ANY, and if so should I do it to Servers, Clients or Both?



  • @omber said in Site to Site to Site Not working:

    @chpalmer Yes they are tied to the WAN interface. Should I change them to use ANY, and if so should I do it to Servers, Clients or Both?

    Huuuuuhhhhhhhh?

    On your interface page.. Interfaces/Interface Assignments

    Do you have them assigned to interfaces?



  • Just look at the routing tables. If the route to the target site is in your local routing table, you are fine, if not ... something goes wrong. Pfsense needs a route to that site, otherwise the traffic goes out to the internet. Please check this, or post the tables here.

    Just try to change the remote tunnel fields and save them again. Sometimes the routes there dont make it to the routing table and even if they are in, rebooting helps alot.



  • @pete35 said in Site to Site to Site Not working:

    Just look at the routing tables. If the route to the target site is in your local routing table, you are fine, if not ... something goes wrong. Pfsense needs a route to that site, otherwise the traffic goes out to the internet. Please check this, or post the tables here.

    Just try to change the remote tunnel fields and save them again. Sometimes the routes there dont make it to the routing table and even if they are in, rebooting helps alot.

    Ok this worked. Originally the route was not in the routing table.

    I changed the Remote Networks in OpenVPN Client Config at Site A to just 172.16.11.0/24 (Site B), applied changes, watched the tunnel come up and confirmed the route was present.

    Then I added 192.168.1.0/24 (Site C), applied changes and watched the route get added. Now I can reach Site C from Site A. Very odd but it works. Thank you.


Log in to reply