Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Don't understand the 10.0.8.2 route in Diagnostics -> Routes

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 3 Posters 877 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guillaume14
      last edited by guillaume14

      Hello

      I have a Netgate XG-7100 appliance with:

      • a single Wan interface (pppoe fiber connection)
      • a single LAN inferface (192.168.100.0/24 network)
      • an OpenVPN "roadwarrior" server (IPv4 Tunnel Network: 10.0.8.0/24)
      • an IPSEC tunnel to a remote Netgate SG-3100 appliance (LAN network on the other side: 192.168.5.0/24, correct P2 entries so both ends can communicate with the 192.168.5.0/24, 192.168.100.0/24 and 10.0.8.0/24 networks)

      In Diagnostic -> Routes i can see the following lines:

      10.0.8.0/24 10.0.8.2 UGS 11683861 1500 ovpns1
      10.0.8.1 link#24 UHS 0 16384 lo0
      10.0.8.2 link#24 UH 2797328 1500 ovpns1

      I understand that the 10.0.8.1 (as the first usable address in the network) is assigned to the server virtual interface. But what is the meaning of the 10.0.8.2 route ?

      As the 10.0.8.2 IP was assigned to an OpenVPN client by the server i got strange behavior for that specific client:

      • he was able to acces 192.168.100.0 network shares
      • he was able to list shares on a server in the 192.168.5.0 network but was NOT able to browse the share
      • he can initiate a remote desktop connexion in the 192.168.5.0 network but then a blank screen occur just after the connection

      I had to make a reservation in the "Client Specific Overrides" tab for that OpenVPN client so he gets the 10.0.8.200 IP address. With that IP everything is working ...

      Any clue ?

      Thanks a lot in advance
      Guillaume

      G 1 Reply Last reply Reply Quote 0
      • G
        guillaume14 @guillaume14
        last edited by guillaume14

        Hello

        Nobody ?

        Thanks a lot in advance
        Guillaume

        1 Reply Last reply Reply Quote 0
        • G
          guillaume14
          last edited by

          Looks like my question must be stupid ... :)

          Regards
          Guillaume

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It's a dummy entry to nudge traffic for networks using that OpenVPN instance to use the VPN for the traffic. The route tells the OS to send the traffic across the OpenVPN interface.

            It doesn't necessarily mean the traffic will be delivered there. OpenVPN handles that internally. It could be any address inside the tunnel network.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • G
              guillaume14
              last edited by

              Thanks a lot for your time

              What i don't understand is why the user can't access the 192.168.5.0 ressources if the OpenVPN roadwarrior DHCP gives the 10.0.8.2 address to that user. If i manually assign another IP to the user he can access the ressources ...

              1 Reply Last reply Reply Quote 0
              • PippinP
                Pippin
                last edited by

                Yeah, pfS does something different.

                Just fired up a server on Linux.

                Basic roadwarrior setup:

                log /etc/openvpn/server/111.log
                verb 4
                daemon
                dev tunudp
                dev-type tun
                proto udp
                port 11194
                local 192.168.25.82
                
                server 192.168.168.0 255.255.255.0 'nopool'
                ifconfig-pool 192.168.168.16 192.168.168.253
                topology subnet
                

                Log:

                do_ifconfig, tt->did_ifconfig_ipv6_setup=0
                /sbin/ip link set dev tunudp up mtu 1500
                /sbin/ip addr add dev tunudp 192.168.168.1/24 broadcast 192.168.168.255
                

                Route:

                0.0.0.0         192.168.25.1    0.0.0.0         UG    600    0        0 wlp2s0
                169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlp2s0
                192.168.25.0    0.0.0.0         255.255.255.0   U     600    0        0 wlp2s0
                192.168.168.0   0.0.0.0         255.255.255.0   U     0      0        0 tunudp
                

                ifconfig:

                tunudp    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
                          inet addr:192.168.168.1  P-t-P:192.168.168.1  Mask:255.255.255.0
                          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
                          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
                          collisions:0 txqueuelen:100 
                          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
                

                I guess the route scripts do some magic on pfS.....or something is wrong.

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                jimpJ 1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate @Pippin
                  last edited by

                  @Pippin said in Don't understand the 10.0.8.2 route in Diagnostics -> Routes:

                  Yeah, pfS does something different.
                  Just fired up a server on Linux.

                  That's not a 1:1 test. You'd need to see his full OpenVPN config file to make a direct comparison.

                  You don't have any routes pointing into OpenVPN. At least add a route statement and see what happens.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • PippinP
                    Pippin
                    last edited by Pippin

                    That's not a 1:1 test.

                    True
                    Added a route directive.
                    Route:

                    0.0.0.0         192.168.25.1    0.0.0.0         UG    600    0        0 wlp2s0
                    169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlp2s0
                    192.168.25.0    0.0.0.0         255.255.255.0   U     600    0        0 wlp2s0
                    192.168.168.0   0.0.0.0         255.255.255.0   U     0      0        0 tunudp
                    192.168.178.0   192.168.168.2   255.255.255.0   UG    0      0        0 tunudp
                    

                    192.168.178.0/24 pointing to 192.168.168.2 .... indeed but different, also no loopback.
                    .
                    ifconfig:

                    inet addr:192.168.168.1  P-t-P:192.168.168.1  Mask:255.255.255.0
                    

                    .
                    If i'm not mistaken ifconfig on pfS will show:

                    inet addr:192.168.168.1  P-t-P:192.168.168.2  Mask:255.255.255.0
                    

                    I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                    Halton Arp

                    1 Reply Last reply Reply Quote 0
                    • PippinP
                      Pippin
                      last edited by Pippin

                      Ok, fired up a virtual box and topology subnet for pfS shows

                      inet 172.16.25.1 --> 172.16.25.2
                      

                      while on Linux

                      inet 172.16.25.1 --> 172.16.25.1
                      

                      .
                      Then I remembered something about topology in FreeBSD and found it:
                      "Repair topology subnet on FreeBSD 11"
                      https://sourceforge.net/p/openvpn/mailman/message/35478475/
                      So I guess it's related to that for why it's different.

                      But don't know it's related to OPs

                      "the user can't access the 192.168.5.0 ressources if the OpenVPN roadwarrior DHCP gives the 10.0.8.2"

                      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                      Halton Arp

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.