TCP traffic not working over OpenVPN on same subnet as LAN

travis.fleming

We have two pfSense firewalls. One is strictly for OpenVPN, the other is our default gateway for our network. On our network lives a "mgmt" subnet, along with others. The OpenVPN pfsense is only using the LAN interface, that is on the "mgmt" subnet. We then have an entirely different subnet for our OpenVPN clients.

What we are running into is when I'm connected to the OpenVPN I can ping every device on the "mgmt" subnet out the LAN interface of the OpenVPN pfsense. I can do DNS lookups (port 53) to our DNS server. However if I try and SSH or https a server on the "mgmt' subnet I cannot.

The default gateway for the "mgmt' subnet is our primary gateway firewall (PG). When I do a packet capture on the OpenVPN pfsense, on the LAN interface I can see my OpenVPN IP traffic to and from a device for ports 22 and 443. However when I do a packet capture on the OpenVPN interface, I"m only seeing the initiated traffic from my client, not the return traffic.

We have the outbound NAT of the OpenVPN set to Manual Outbound NAT, with no rules as of now. We have tried enabling Pure NAT reflection, with the 1:1 NAT and automatic outbound NAT thinking it was a hairpinning issue.

To add a layer of complexity our primary gateway firewall has several IPSec tunnels to other spoke site networks. If I do an SSH to a device on those networks it works just fine. If I do an SSH to a device on a different subnet in the same office, just not on the "mgmt" subnet, it works just fine. It's only when going to the "mgmt" subnet that is the same subnet as the LAN interface of theh OpenVPN pfsense. The devices on that "mgmt" subnet are using our default gateway pfsense as their default gateway for the "mgmt" subnet, and we have a route on the primary gateway pfsense to point any OpenVPN client traffic to thke OpenVPN pfsense LAN CARP interface.

SImply put, why are we not able to ssh or https to devices on the same subnet as theh LAN interface of our OpenVPN server, when we can ping to that subnet, or ssh\https to device on any other subnet. We believe it's related to TCP traffic because of this, but no concrete answers yet.

viragomann

@travis-fleming said in TCP traffic not working over OpenVPN on same subnet as LAN:

We have two pfSense firewalls. One is strictly for OpenVPN, the other is our default gateway for our network. On our network lives a "mgmt" subnet, along with others. The OpenVPN pfsense is only using the LAN interface, that is on the "mgmt" subnet. We then have an entirely different subnet for our OpenVPN clients.

I guess, you've added a static route for the OpenVPN network on the default gateway?

travis.fleming

@viragomann Correct, there is a route on the OpenVPN pfsense saying if you want to get to the "mgmt"/24 subnet, go to the default gateway pfsense firewall. And then on the default gateway pfsense we have a route that states OpenVPN/25 subnet, go to LAN CARP IP address of OpenVPN pfsense.

What we found as a temp solution was to to a NAT only for the OpenVPN traffic to the "mgmt" subnet only, as the LAN CARP interface of the OpenVPN pfsense. That has solved it, but we would still like to leverage this without that NAT so we can have the OpenVPN client IP show in logs of devices on the "mgmt" subnet.

viragomann

@travis-fleming said in TCP traffic not working over OpenVPN on same subnet as LAN:

@viragomann Correct, there is a route on the OpenVPN pfsense saying if you want to get to the "mgmt"/24 subnet, go to the default gateway pfsense firewall. And then on the default gateway pfsense we have a route that states OpenVPN/25 subnet, go to LAN CARP IP address of OpenVPN pfsense.

The route won't work this way.
The static route on the OpenVPN pfSense might be ignored, since the LAN interface is directly connected to the mgmt network. So you cannot route it to any other IP.
Then you might end up in an asymmetric routing issue. No problem for ICMP traffic, but TCP doesn't work.

For proper routing you would need to add a static route to each device in the mgmt you want to access from the VPN.
Maybe this is practicable for you if there are only two devices.

But the recommended solution is to take the OpenVPN out from the mgmt network and put it in a separate transit network.
You could do this without any changes on the hardware or cables by setting up VLAN on both routers on the LAN / mgmt interface.
Then on the default gateway change the static route for the OpenVPN network accordingly. On the OpenVPN pfSense move the LAN interface to the VLAN port and remove the static route for the mgmt, assuming the other pfSense is the default gateway anyway.

travis.fleming

@viragomann Thank you, that is the response we were looking for. We will put the OpenVPN segment on a new vlan, it's a /24 subnet with lots of devices, so impractical to do a static route for them all. What you are saying makes complete sense. Thank you!