Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem converting from CentOS 7 and iptables to pfSense CE 2.6.0

    Routing and Multi WAN
    4
    9
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Dave5416
      last edited by

      I have been successfully running a site to site OpenVPN CE tunnel for several years. I used this article as my primary resource:

      https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/

      My setup is exactly like the one in the article, with the exception of the network IPs.

      The VPN server is at my location at 10.11.12.40 on a 10.11.12.0/24 network. The client is at a remote location on a 192.168.1.0/24 network.

      My current firewall/router is a CentOS 7 box with two NICs using Shorewall as an iptables front-end. The static routes to the OpenVPN server on my local LAN are working fine.

      The LAN interface name is ens2. The contents of /etc/sysconfig/network-scripts/route-ens2:

      10.9.0.0/24 via 10.11.12.40 dev ens2
      192.168.1.0/24 via 10.11.12.40 dev ens2

      I want to replace the old CentOS box with a newer box running psSense.

      I have not been able to get routing to the VPN server working. I have verified that the VPN tunnel is working correctly.

      I tried setting up the two static routes to the VPN server without success. Should the VPN server be set up as a gateway? I tried that, but still was unable to get it to work.

      Any tips will be greatly appreciated. Thanks!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Dave5416
        last edited by

        @dave5416
        Yes, if the OpenVPN endpoint is not the default gateway in the LAN you cannot make the routing work with static routes on the router only. Rather than this you would need a static route on each LAN device that you want to communicate with the remote site.

        But the better solution is to remove the OpenVPN server from the LAN and set up a separated transit network between the actual default gateway and the server device.
        Then you can need the routes for the remote site on the router pointing to pfSense (transit subnet IP) and on pfSense you need a static route for the LAN and point it to the router.

        D 1 Reply Last reply Reply Quote 0
        • D
          Dave5416 @viragomann
          last edited by

          @viragomann
          Thanks very much for taking the time to answer my post!

          Maybe I'm not understanding you (probably!), but with my current router setup I don't need a static route on each LAN device to communicate with any device on the remote site. It is a site-to-site VPN, so I can access any device on the remote network from any device on my local network without any special routing on the device, and vice versa. The routing is done on my router and on the OpenVPN server, and the same on the remote site. I am trying to implement the same functionality on a pfSense router.

          S V 2 Replies Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @Dave5416
            last edited by

            @dave5416 Netgate has some site to site examples in the "recipe" section, did you find those?

            https://docs.netgate.com/pfsense/en/latest/recipes/#openvpn

            It'll work as you describe. The pfSense has to be the gateway that PCs use.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • V
              viragomann @Dave5416
              last edited by

              @dave5416 said in Problem converting from CentOS 7 and iptables to pfSense CE 2.6.0:

              The routing is done on my router and on the OpenVPN server, and the same on the remote site.

              So does the communication between both sites work? I'm in doubt.
              You might run into asymmetric routing with that set up.

              I am trying to implement the same functionality on a pfSense router.

              If you replace your current router with pfSense, this is not needed anymore for sure. But the OpenVPN endpoints have to be on the default gateway, as stated or you need some workaround with a transit network, as mentioned, or masquerading or static routes on each device.

              D 1 Reply Last reply Reply Quote 0
              • D
                Dave5416 @viragomann
                last edited by rcoleman-netgate

                @viragomann said in Problem converting from CentOS 7 and iptables to pfSense CE 2.6.0:

                So does the communication between both sites work?

                It works very well. As I understand it, packets go to default gateway, and with static routing set up on the gateway, the packets to the remote network are routed to the VPN. It is diagrammed and described in detail here:
                https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/

                D 1 Reply Last reply Reply Quote 0
                • D
                  Dave5416 @Dave5416
                  last edited by

                  @dave5416
                  I can't figure out how to properly post a link. Sorry.

                  R 1 Reply Last reply Reply Quote 0
                  • R
                    rcoleman-netgate Netgate @Dave5416
                    last edited by

                    @dave5416 I fixed it for you. When you click the link button it shows you one for the text, one for the URL. Edit your post above and look at what it should look like.

                    Ryan
                    Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                    Requesting firmware for your Netgate device? https://go.netgate.com
                    Switching: Mikrotik, Netgear, Extreme
                    Wireless: Aruba, Ubiquiti

                    1 Reply Last reply Reply Quote 0
                    • D
                      Dave5416
                      last edited by

                      Solved!

                      I made the rookie mistake of using a new OpenVPN server, instead of first getting things working with the old OpenVPN server.

                      On the new OpenVPN server, I forgot to set ip forwarding on. It is set off by default. To enable IP forwarding, you need to uncomment the line net.ipv4.ip_forward on the /etc/sysctl.conf configuration file and set its value to 1. This is for Rocky 9.

                      On pfSense, I set the OpenVPN server as a gateway, and set up static routes for the two networks (192.168.1.0/24 and 10.9.0.0/24) to the new gateway.

                      It works perfectly now.

                      Thanks to all who replied!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.