triple site to site working, but 2 pfsenses can only ping the oVPN server site.

frater

I need 3 sites to reach each other and configured it according to this Youtube tutorial:

https://www.youtube.com/watch?v=8f13lfnEKY8

One site is the server and the 2 other sites connect to it.
From the server I can connect to all devices.
All connected devices on the 3 networks can connect to all devices.

The only thing that's not working is the 2 client pfsenses themselves. They can't connect to the other client pfsenses (it is supposed to go through the server) if they are the ones initiating the connection.

The clients in the problematic network can ping the other pfsense, but that other pfsense can't ping back.

It's not even a big deal as the owner can do everything he needs to do, but it still bothers me because I don't know why this little thing is not working.

#1 Pfsense running 2 openvpn server instances (has corresponding network as remote network)
#2 Pfsense running 1 openvpn client to Pfsense #1 (has both other networks as remote network)
#3 Pfsense running 1 openvpn client to Pfsense #1 (has both other networks as remote network)

I wasn't able to ping from the Pfsense #2 to #3 nor vice versa.
Both #2 and #3 were able to ping to #1

But then I noticed it was only the Pfsense itself.
Clients on Pfsense #3 could reach clients on Pfsense #2.
Clients could also ping all pfsenses....
Client pfsenses can't ping clients on other network.

In fact this is the main purpose of the site-to-site-to-site VPN, so I have it working now.

I now have a few questions:

Is this behaviour to be expected?
What do I need to do so #2 and #3 themselves can ping each other?
Should I consider this a bug?
Is this a recommended setup? I have a feeling it isn't as #2 and #3 can't reach each other anymore if #1 is failing.
Do I solve that single point of failure by creating a server instance on either #2 or #3, and let the other client connect to it??

viragomann

@frater said in triple site to site working, but 2 pfsenses can only ping the oVPN server site.:

Is this behaviour to be expected?

Considering your setup, yes, it is.

What do I need to do so #2 and #3 themselves can ping each other?

Either add the VPN tunnel network of 1-3 to the remote networks on 2 and the tunnel network of 1-2 to the remote networks on 3, or you can nat the source IP on the VPN interface of both clients to their LAN IPs.

Further info: If you initiate an access from pfSense itself it uses its outgoing interface IP as source. So in this case this is the virtual VPN IP.

Should I consider this a bug?

No.

Is this a recommended setup? I have a feeling it isn't as #2 and #3 can't reach each other anymore if #1 is failing.

Yes. However, it also could be done with a single server.

Do I solve that single point of failure by creating a server instance on either #2 or #3, and let the other client connect to it??

Not recommended.

frater

@viragomann

Thanks for your reply...

Yes. However, it also could be done with a single server.

I'm doing it with a single server, or do you mean a single server instance?

Can you elaborate why it isn't recommended to make one of the clients (#2) a server as well and let the other client (#3) connect to it directly?
It would solve the dependency on Pfsense #1 which is now a server.

frater

@viragomann said in triple site to site working, but 2 pfsenses can only ping the oVPN server site.:

Either add the VPN tunnel network of 1-3 to the remote networks on 2 and the tunnel network of 1-2 to the remote networks on 3, or you can nat the source IP on the VPN interface of both clients to their LAN IPs.

I added the VPN-tunnels on both clients as a remote network and traffic started flowing.

THANKS

I therefore conclude that the tutorial I followed was incomplete.
Do you agree?

I think the poster of the Youtube video preferred 2 server instances, so he would have separate traffic statistics for each client on the server.
On more than 3 sites I think I would prefer 1 server if that works as well.

If I didn't have a tutorial, I would have used 1 server, but doing it for the 1st time I thought it best to follow the tutorial.

viragomann

@frater said in triple site to site working, but 2 pfsenses can only ping the oVPN server site.:

I'm doing it with a single server, or do you mean a single server instance?

Yes, I meant a single server instance. But the setup would be more complicated, you would need client specific overrides for both clients to set iroute in OpenVPN.
But this has nothing to do with the described issue.

I therefore conclude that the tutorial I followed was incomplete.
Do you agree?

Normally you don't need a route for the tunnel network, because you can as well access the remote firewall by using its LAN address.

frater

@viragomann said in triple site to site working, but 2 pfsenses can only ping the oVPN server site.:

Normally you don't need a route for the tunnel network, because you can as well access the remote firewall by using its LAN address.

No, I couldn't....

The 2 pfsense configured as client were unable to ping anything on the other pfsense.
They can now.