Help configuring Split Routing of subnets with OpenVPN

viragomann · Dec 14, 2022, 4:38 PM

@malicair
Did you try with the VPN connected to the server?

Without the suggested check, the rule is omitted if the gateway is down. So the blocks are expected.

Also ensure that the VPN gateway state is online.

Malicair · Dec 14, 2022, 4:41 PM

@viragomann
Within Status it shows the VPN has been authenticated:

What/how else should I check to verify?

viragomann · Dec 14, 2022, 4:42 PM

@malicair
Check Status > Gateways, please.

Malicair · Dec 14, 2022, 4:44 PM

@viragomann
Status > Gateways.. Pending

viragomann · Dec 14, 2022, 4:50 PM

@malicair
Rules with gateway are only applied if it's online naturally.

The gateway state is detected by pinging it's IP. Obviously it doesn't respond. So you have to change the monitoring IP to any other in the internet, which is responding.
But it has to be another than 8.8.8.8, since this is already in use by the WAN gw and hence pfSense has added a static route to it.

Malicair · Dec 14, 2022, 5:51 PM

@viragomann

I added a monitoring IP of 9.9.9.9 which is Quad9 to the VPN.

Are these routes correct or needed?

The Gateway status still shows as pending.

I sure wish I knew this stuff better, but simply don't need these skills hardly at all anymore. Subsequently I greatly appreciate your help and If I could buy you a drink I definitely would!

viragomann · Dec 14, 2022, 6:03 PM

@malicair said in Help configuring Split Routing of subnets with OpenVPN:

I added a monitoring IP of 9.9.9.9 which is Quad9 to the VPN.

You should better test before if the server is responding. It doesn't obviously.

ping 9.9.9.9

1.1.1.1 does for instance.

Are these routes correct or needed?

The route for the VPN should must be deleted.
The other is needed for directing the 10.10.0.0/16 to the switch.

Jarhead · Dec 14, 2022, 6:34 PM

@malicair
Just to add, you need to be more specific with these subnets and where they are.
As in the pic:

I highly doubt you LAN has two subnets so there's no way they can both be the source on the LAN interface.
You only have a WAN and 3 other interfaces yet you list 5 subnets. Where are they?

Malicair · Dec 14, 2022, 6:41 PM

@viragomann
I have reached out to the VPN provider to assist with ensuring the server is responding... not sure how long that will take.

viragomann · Dec 14, 2022, 6:50 PM

@malicair
9.9.9.9 is not responding to ping requests. So you cannot use this IP for monitoring. Use another one.

For instance 1.1.1.1.
Try to if you get a response on your PC.

ping 1.1.1.1

If it's okay use it for monitoring in the VPN gateway settings.