Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site (Shared-Key) client not routing to server subnets (kinda solved?)

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 734 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      klou
      last edited by

      I was banging my head against this for quite a while, and then seemed to have solved it, but don't understand it at all. Is this a bug?

      This is a pretty standard Shared-Key Peer-to-Peer (Site-to-Site) configuration, mostly as seen from the recipe: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-psk.html

      The only difference is that the Server-side has a 172.45.0.0/16 network, and the Client side has a /24 subnet.

      After completely disabling IPsec tunnels, routing between each side (and each pfSense endpoint) works correctly without pushing any custom configurations.

      Now, I want to add an additional Server-side subnet to be routed over the OpenVPN tunnel, so the Client configuration now looks like this:

      • IPv4 Remote network(s): 172.45.0.0/16, 10.0.0.0/24

      Result: Client pfSense (all interfaces) can ping 10.0.0.1, but none of the Client-side machines can ping 10.0.0.0/24 and all of the traffic is being routed to the public internet. However, routes are correctly being created for this subnet on Client pfSense.

      If I re-order the remote subnets ...

      • IPv4 Remote network(s): 10.0.0.0/24, 172.45.0.0/16

      Result: All routing works correctly (Client pfsense interfaces, Client network devices, Client pfsense routes created).

      Can somebody explain why re-ordering this would work?

      N V 2 Replies Last reply Reply Quote 0
      • N
        netblues @klou
        last edited by

        @klou You are using the term ip-sec and openvpn on the same problem and this is confusing.

        As for the order of remote networks, is it repeatable?

        K 1 Reply Last reply Reply Quote 0
        • K
          klou @netblues
          last edited by

          @netblues Sorry for not being clear. I'm replacing my IPsec vpn with OpenVPN, so configs exist for both types, with the same endpoints.

          By "After completely disabling IPsec tunnels," I was referring to https://docs.netgate.com/pfsense/en/latest/troubleshooting/openvpn.html#ensure-no-overlapping-ipsec-connections

          And yes, I could reproduce this by re-ordering the IPv4 Remote networks and refreshing the connections.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @klou
            last edited by

            @klou
            I'm wondering, why you are routing a public network to the remote site. However, this may be done and should not cause the issue at all.

            But I'm basically avoiding spaces between the networks. Possibly you can try to remove it and see if it changes the behavior.

            K 1 Reply Last reply Reply Quote 0
            • K
              klou @viragomann
              last edited by

              @viragomann

              I always wondered if the space matters.

              It turns out I'm wrong in what "works" -- while the routes are being created for both server subnets (and traffic is passing from Server->Client and back), Client-initiated traffic will only route to the first listed subnet.

              I've removed the space, and things look promising. We'll see if this holds up. If so, I can't believe it's something so stupid.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.