Remote access and site-to-site (shared key)
-
Greetings.
This is my first post. So please be gentle.
I searched a lot but I could not find a solution to my problem, which leads here.
I have two sites, say S and T. Both of them serve remote access (independently) using port 1194 (default) just fine.
I added to S site-to-site server (port 1195) and added to T site-to-site client. I can ping (not from a host on S but) from my pfSense on S to all hosts on T and vice versa. But I cannot do the same from any host on S nor T.
From the routing table on each site, I see all routes are set up (well, to my best knowledge) properly. The ping just does not get to the tunnel network connecting S and T. I.e. If I ping from a host on S to a host on T, it does not reach to pfSense on S. If I ping from pfSense to a host on T, no problem.
And here is my configuration:
Site S:
- pfSense: v2.6.0
- LAN: 192.168.0.0/16
- pfSense: 192.168.10.1
- DHCP: 192.168.10.101 - 192.168.10.199 (and there are many servers on 192.168.10.x)
- Remote access
- Tunnel network: 10.0.8.0/24
- Port: 1194
- Firewall rules:
- WAN: protocol IPv4 UDP, source = *:* dest = WAN address:1194
- LAN: protocol IPv4 *, source = LAN net:*, dest = *:*
- LAN: protocol IPv6 *, source = LAN net:*, dest = *:*
- OpenVPN: protocol IPv4 *, source *:* dest = *:* -- call this A
- Site-to-site (shared key) server
- Tunnel network: 10.0.7.0/30
- Port: 1195
- Remote network: 192.168.40.0/24
- Filewall Rules:
- WAN: protocol IPv4 UDP, source = (T's WAN address):*, dest = WAN address:1195 (this rule is before A)
Site T:
- pfSense: v2.6.0
-
- LAN: 192.168.0.0/16
- pfSense: 192.168.40.9
- DHCP: disabled (but there are many servers on 192.168.40.x)
- Remote access
- Tunnel network: 10.0.9.0/24
- Port: 1194
- Firewall rules:
- WAN: protocol IPv4 UDP, source = *:* dest = WAN address:1194
- LAN: protocol IPv4 *, source = LAN net:*, dest = *:*
- LAN: protocol IPv6 *, source = LAN net:*, dest = *:*
- OpenVPN: protocol IPv4 *, source *:* dest = *:*
- Site-to-site (shared key) client
- Tunnel network: 10.0.7.0/30
- Port: 1195
- Remote network: 192.168.10.0/24
Any suggestions are welcomed. I am kind of newbie to this. So detailed explanation might be helpful. :-)
-
@egkim
Your local network of both sites are overlapping:Site S:
LAN: 192.168.0.0/16Site T:
LAN: 192.168.0.0/16Furthermore they are identical.
So routing to the other site is not possible at all.You should be concerned about the need of /16 subnets on both sites.
-
@viragomann I was hoping to talk to you, viragomann. Thanks a lot. I solved it before read your answer. I see you help people with patience in this forum. Again thank you.
-
@viragomann By the way, is it possible to give access to site T to site S's remote access users?
-
I was hoping to talk to you, viragomann.
:-)
is it possible to give access to site T to site S's remote access users?
Your talking about an OpenVPN access server, I assume. Yes, this can be done.
Go into the access server setting and add the remote network to the "Local Networks". This pushes to route to the clients.
To set the route back to the clients virtual IPs on the remote site, go into the server or client settings and add the access servers tunnel network to the "Remote Networks".
Ensure that firewall rules on all incoming interfaces are allowing the traffic.
BTW: When running an access server aside from a site-to-site, you should consider that the OpenVPN rules tab is an interface group, which includes all OpenVPN instances you're running, either servers and clients.
So either configure pass rules in a way so that they only apply to the desired sources or assign interfaces to all OpenVPN instances, which creates separate rule tabs for each and put your rules there.Also consider that rules on interface groups have priority over such in interface tabs. So if there is a pass any rule (maybe from the wizard) you will have to remove it, when setting rules on interfaces.
-
@viragomann To be honest, you lost me at BTW. I will try to understand your invaluable advice.
Thank you so much.