• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Routing and one particular subnet.

Scheduled Pinned Locked Moved Routing and Multi WAN
8 Posts 3 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P Offline
    pkwong
    last edited by Sep 17, 2009, 12:59 PM

    I have a network topology as shown in the enclosed diagram.  The ISP at 192.168.75.1 blocks certain ports preventing my outlook from connecting to the exchange server at 200.200.200.200 [obviously a fictitious address], but outlook can connect through the ISP at 192.168.1.1.  I test this by bringing my laptop to both locations and it works at one, but not the other.

    Since I have a site to site VPN between the two subnets (192.168.75.0/24 and 192.168.1.0/24), I was wondering if it would be possible to have all traffic going to 200.200.200.0/24 routed through the OpenVPN tunnel and out the internet link @ 192.168.1.1?

    They're obviously both pfsense boxes.  Any help on how to do this would be great.

    Thanks.

    ![WAN Network Topology.jpg](/public/imported_attachments/1/WAN Network Topology.jpg)
    ![WAN Network Topology.jpg_thumb](/public/imported_attachments/1/WAN Network Topology.jpg_thumb)

    When all else fails, don't blame the machine.  Blame your architecture.

    1 Reply Last reply Reply Quote 0
    • G Offline
      Gob
      last edited by Sep 17, 2009, 5:15 PM

      you could try putting a static route on 192.168.75.1 with these settings:

      If I fix one more thing than I break in a day, it's a good day!

      1 Reply Last reply Reply Quote 0
      • G Offline
        Gob
        last edited by Sep 17, 2009, 5:17 PM

        whoops…

        LAN
        200.200.200.200/32
        192.168.1.1

        If I fix one more thing than I break in a day, it's a good day!

        1 Reply Last reply Reply Quote 0
        • P Offline
          pkwong
          last edited by Sep 17, 2009, 6:05 PM

          Didn't work.

          A traceroute shows it dies after the first hop of the openvpn tunnel.

          When all else fails, don't blame the machine.  Blame your architecture.

          1 Reply Last reply Reply Quote 0
          • G Offline
            Gob
            last edited by Sep 17, 2009, 6:34 PM

            Hmm…
            I've done this in the past but with IPSEC tunnels rather than OpenVPN tunnels. Oh - yeah, that was also on IPcops and not pfSense  ::)
            It really depends where the tunnel entry points are in relation to the static routing of the pfSense. Probably needs somebody with more knowledge of the pfSense routing than I have.

            Can you ping 192.168.1.1 from the console of the pfSense on 192.168.75.1, or can you only ping it from a machine on the 192.168.75.xxx network?

            If I fix one more thing than I break in a day, it's a good day!

            1 Reply Last reply Reply Quote 0
            • P Offline
              pkwong
              last edited by Sep 17, 2009, 7:05 PM

              I can ping from the LAN interface on 192.168.75.1 just fine.  The WAN doesn't work (obviously) ;)

              When all else fails, don't blame the machine.  Blame your architecture.

              1 Reply Last reply Reply Quote 0
              • G Offline
                Gob
                last edited by Sep 17, 2009, 7:57 PM

                the destination network on the static route should be a /24 not /32 as I suggested if you want the whole 200.200.200.0/24 network to route over the VPN.

                Maybe you need a rule on 192.168.1.1 to allow traffic from 192.168.75.0/24
                Using IPSEC there would be a specific IPSEC tab on the Firewall Rules page but I guess there isn't for Open VPN?

                Anyone else offer a suggestion?

                If I fix one more thing than I break in a day, it's a good day!

                1 Reply Last reply Reply Quote 0
                • G Offline
                  GruensFroeschli
                  last edited by Sep 17, 2009, 8:44 PM

                  This might be a bit hacky.
                  I assume you can already communicate between both sides.

                  You need on the side on which it works an advanced outbound NAT rule.
                  Create one at the top with source the other subnet and interface WAN.
                  With this you allow traffic from your side to be NATed to the internet on the other side.

                  Now create under the loadbalancer a dummy-pool.
                  Save this, downloadnthe config.xml and edit this dummy pool to reflect the tunnelIP of the other side.
                  Restore the config.
                  On your side create on the firewall lan tab a new rule with as destination the ip(s) you want redirected and as gateway your new loadbalancerpool.

                  (sorry writing on iPhone… If you dont understand the part with the poolediting and config.xml search the forum for this. I explainit better elsewhere)

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received