Site-to-site between pfsense(server) and dd-wrt
-
Hi, I have a partial working openVPN between two LAN.
LAN_A:
- Network 192.168.32.0/22
- Gateway_A (pfsense): 192.168.32.1 with openVpn server 192.168.129.1/24
LAN_B:
- Network 192.168.8.0/22
- Gateway_B (dd-wrt): 192.168.10.1 with openVpn client 192.168.129.2/24
I want to have communication between hosts of the two networks.
My actual bad situation in shorts:
- gateway_A and gateway_B can communicate, using either VPN or LAN addresses
- LAN_A can communicate with gateway_B (and viceversa)
- LAN_B cannot communicate with Gateway_B
- LAN_A and LAN_B cannot communicate
More details of my trials:
- any host of LAN_A is able to communicate with both 192.168.129.1 and 192.168.129.2, but it is not able to communicate with hosts of 192.168.8.0/22 (included 192.168.10.1, the address of Gateway_B)
- Gateway_B is able to ping Gateway_A on 192.168.129.1, and it is also able to communicate with any hosts of LAN_A
- no hosts of LAN_B is able to communicate with Gateway_A (tried both 192.168.129.1 and 192.168.32.1) or other hosts of LAN_A.
---- OpenVPN CONFIG ----
On pfsense, I've configured these overrides:
- SERVER commands:
push "route 192.168.32.0 255.255.252.0 192.168.129.1"; route 192.168.8.0 255.255.255.252 192.168.129.2
- CLIENT override commands (for LAN_B)
push "route 192.168.32.0 255.255.252.0 192.168.129.1";iroute 192.168.8.0 255.255.252.0;
---- DIAGNOSTICS ----
- GATEWAY_A (pfsense)
(there is another separate working openvpn on ovpns1:192.168.128.1, for single external devices)
Internet: Destination Gateway Flags Netif Expire default XXXX.fiber7.ini UGS igb0 ns10.init7.net 00:0d:b9:53:a2:b8 UHS igb0 INTERNET_YY/25 link#1 U igb0 INTERNET_YY link#1 UHS lo0 localhost link#6 UH lo0 192.168.8.0/30 192.168.129.2 UGS ovpns2 192.168.8.0/22 192.168.129.2 UGS ovpns2 192.168.32.0/22 link#2 U igb1 pfSense link#2 UHS lo0 192.168.128.0/24 192.168.128.2 UGS ovpns1 192.168.128.1 link#9 UHS lo0 192.168.128.2 link#9 UH ovpns1 192.168.129.0/24 192.168.129.2 UGS ovpns2 192.168.129.1 link#10 UHS lo0 192.168.129.2 link#10 UH ovpns2 ZZZZ.init7.net 00:0d:b9:53:a2:b8 UHS igb0
- GATEWAY_B (dd-wrt)
$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.1.1 0.0.0.0 UG 0 0 0 vlan2 127.0.0.0 * 255.0.0.0 U 0 0 0 lo 169.254.0.0 * 255.255.0.0 U 0 0 0 br0 192.168.1.0 * 255.255.255.0 U 0 0 0 vlan2 192.168.8.0 * 255.255.248.0 U 0 0 0 br0 192.168.32.0 192.168.129.1 255.255.252.0 UG 0 0 0 tun1 192.168.129.0 * 255.255.255.0 U 0 0 0 tun1
Am I missing something?
I think that the problem is in gateway_B, which seems not able to properly route requests from LAN_B to gateway_A. But routes seem fine, I've also added the "iroute" into client override (from server). Is there a way to check that the client (gateway_B) has properly received the config from server?
Thank you for your time,
Marco -
By the way, I've noticed that by (temporay) enabling option OpenVpn->NAT on GatewayB, hosts for LAN_B can reach LAN_A (but not the opposite direction).
In both cases, on Gateway_B the output of command "route" remains the same.
-
Does anyone have a suggestion about how to solve or just diagnose it better?
Thank you,
Marco -
@marcor
Huh!@marcor said in Site-to-site between pfsense(server) and dd-wrt:
LAN_B:
Network 192.168.8.0/22@marcor said in Site-to-site between pfsense(server) and dd-wrt:
GATEWAY_B (dd-wrt)
$ route
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.8.0 * 255.255.248.0 U 0 0 0 br0These doesn't match the LAN network mask you stated above.
@marcor said in Site-to-site between pfsense(server) and dd-wrt:
LAN_B cannot communicate with Gateway_B
Really???
@marcor said in Site-to-site between pfsense(server) and dd-wrt:
with openVpn client 192.168.129.2/24
Since it is a site-to-site (2 hosts), why setting a /24 mask? Better to use /30 network.
@marcor said in Site-to-site between pfsense(server) and dd-wrt:
---- OpenVPN CONFIG ----
On pfsense, I've configured these overrides:SERVER commands:
push "route 192.168.32.0 255.255.252.0 192.168.129.1"; route 192.168.8.0 255.255.255.252 192.168.129.2
CLIENT override commands (for LAN_B)
push "route 192.168.32.0 255.255.252.0 192.168.129.1";iroute 192.168.8.0 255.255.252.0;
Same case, since it is an S2S, there is no need for pushing routes.
On pfSense just enter the the remote LAN into the "Remote Networks" box. That's all you need, and don't use Advanced options for that!On the client just use the route option to add the route for the remote network.
Additional question: is the DDWRT the default gateway in LAN B?