Site-to-site between pfsense(server) and dd-wrt



  • Hi, I have a partial working openVPN between two LAN.

    LAN_A:

    • Network 192.168.32.0/22
    • Gateway_A (pfsense): 192.168.32.1 with openVpn server 192.168.129.1/24

    LAN_B:

    • Network 192.168.8.0/22
    • Gateway_B (dd-wrt): 192.168.10.1 with openVpn client 192.168.129.2/24

    I want to have communication between hosts of the two networks.

    My actual bad situation in shorts:

    • gateway_A and gateway_B can communicate, using either VPN or LAN addresses
    • LAN_A can communicate with gateway_B (and viceversa)
    • LAN_B cannot communicate with Gateway_B
    • LAN_A and LAN_B cannot communicate

    More details of my trials:

    • any host of LAN_A is able to communicate with both 192.168.129.1 and 192.168.129.2, but it is not able to communicate with hosts of 192.168.8.0/22 (included 192.168.10.1, the address of Gateway_B)
    • Gateway_B is able to ping Gateway_A on 192.168.129.1, and it is also able to communicate with any hosts of LAN_A
    • no hosts of LAN_B is able to communicate with Gateway_A (tried both 192.168.129.1 and 192.168.32.1) or other hosts of LAN_A.

    ---- OpenVPN CONFIG ----

    On pfsense, I've configured these overrides:

    • SERVER commands:
    push "route 192.168.32.0 255.255.252.0 192.168.129.1"; route 192.168.8.0 255.255.255.252 192.168.129.2
    
    • CLIENT override commands (for LAN_B)
    push "route 192.168.32.0 255.255.252.0 192.168.129.1";iroute 192.168.8.0 255.255.252.0;
    

    ---- DIAGNOSTICS ----

    • GATEWAY_A (pfsense)
      (there is another separate working openvpn on ovpns1:192.168.128.1, for single external devices)
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            XXXX.fiber7.ini UGS        igb0
    ns10.init7.net     00:0d:b9:53:a2:b8  UHS        igb0
    INTERNET_YY/25  link#1             U          igb0
    INTERNET_YY link#1             UHS         lo0
    localhost          link#6             UH          lo0
    192.168.8.0/30     192.168.129.2      UGS      ovpns2
    192.168.8.0/22     192.168.129.2      UGS      ovpns2
    192.168.32.0/22    link#2             U          igb1
    pfSense            link#2             UHS         lo0
    192.168.128.0/24   192.168.128.2      UGS      ovpns1
    192.168.128.1      link#9             UHS         lo0
    192.168.128.2      link#9             UH       ovpns1
    192.168.129.0/24   192.168.129.2      UGS      ovpns2
    192.168.129.1      link#10            UHS         lo0
    192.168.129.2      link#10            UH       ovpns2
    ZZZZ.init7.net     00:0d:b9:53:a2:b8  UHS        igb0
    
    • GATEWAY_B (dd-wrt)
    $ route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.1.1     0.0.0.0         UG    0      0        0 vlan2
    127.0.0.0       *               255.0.0.0       U     0      0        0 lo
    169.254.0.0     *               255.255.0.0     U     0      0        0 br0
    192.168.1.0     *               255.255.255.0   U     0      0        0 vlan2
    192.168.8.0     *               255.255.248.0   U     0      0        0 br0
    192.168.32.0    192.168.129.1   255.255.252.0   UG    0      0        0 tun1
    192.168.129.0   *               255.255.255.0   U     0      0        0 tun1
    

    Am I missing something?

    I think that the problem is in gateway_B, which seems not able to properly route requests from LAN_B to gateway_A. But routes seem fine, I've also added the "iroute" into client override (from server). Is there a way to check that the client (gateway_B) has properly received the config from server?

    Thank you for your time,
    Marco



  • By the way, I've noticed that by (temporay) enabling option OpenVpn->NAT on GatewayB, hosts for LAN_B can reach LAN_A (but not the opposite direction).

    In both cases, on Gateway_B the output of command "route" remains the same.



  • Does anyone have a suggestion about how to solve or just diagnose it better?

    Thank you,
    Marco



  • @marcor
    Huh!

    @marcor said in Site-to-site between pfsense(server) and dd-wrt:

    LAN_B:
    Network 192.168.8.0/22

    @marcor said in Site-to-site between pfsense(server) and dd-wrt:

    GATEWAY_B (dd-wrt)
    $ route
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.8.0 * 255.255.248.0 U 0 0 0 br0

    These doesn't match the LAN network mask you stated above.

    @marcor said in Site-to-site between pfsense(server) and dd-wrt:

    LAN_B cannot communicate with Gateway_B

    Really???

    @marcor said in Site-to-site between pfsense(server) and dd-wrt:

    with openVpn client 192.168.129.2/24

    Since it is a site-to-site (2 hosts), why setting a /24 mask? Better to use /30 network.

    @marcor said in Site-to-site between pfsense(server) and dd-wrt:

    ---- OpenVPN CONFIG ----
    On pfsense, I've configured these overrides:

    SERVER commands:

    push "route 192.168.32.0 255.255.252.0 192.168.129.1"; route 192.168.8.0 255.255.255.252 192.168.129.2

    CLIENT override commands (for LAN_B)

    push "route 192.168.32.0 255.255.252.0 192.168.129.1";iroute 192.168.8.0 255.255.252.0;

    Same case, since it is an S2S, there is no need for pushing routes.
    On pfSense just enter the the remote LAN into the "Remote Networks" box. That's all you need, and don't use Advanced options for that!

    On the client just use the route option to add the route for the remote network.

    Additional question: is the DDWRT the default gateway in LAN B?


Log in to reply