Routing and one particular subnet.



  • I have a network topology as shown in the enclosed diagram.  The ISP at 192.168.75.1 blocks certain ports preventing my outlook from connecting to the exchange server at 200.200.200.200 [obviously a fictitious address], but outlook can connect through the ISP at 192.168.1.1.  I test this by bringing my laptop to both locations and it works at one, but not the other.

    Since I have a site to site VPN between the two subnets (192.168.75.0/24 and 192.168.1.0/24), I was wondering if it would be possible to have all traffic going to 200.200.200.0/24 routed through the OpenVPN tunnel and out the internet link @ 192.168.1.1?

    They're obviously both pfsense boxes.  Any help on how to do this would be great.

    Thanks.

    ![WAN Network Topology.jpg](/public/imported_attachments/1/WAN Network Topology.jpg)
    ![WAN Network Topology.jpg_thumb](/public/imported_attachments/1/WAN Network Topology.jpg_thumb)



  • you could try putting a static route on 192.168.75.1 with these settings:



  • whoops…

    LAN
    200.200.200.200/32
    192.168.1.1



  • Didn't work.

    A traceroute shows it dies after the first hop of the openvpn tunnel.



  • Hmm…
    I've done this in the past but with IPSEC tunnels rather than OpenVPN tunnels. Oh - yeah, that was also on IPcops and not pfSense  ::)
    It really depends where the tunnel entry points are in relation to the static routing of the pfSense. Probably needs somebody with more knowledge of the pfSense routing than I have.

    Can you ping 192.168.1.1 from the console of the pfSense on 192.168.75.1, or can you only ping it from a machine on the 192.168.75.xxx network?



  • I can ping from the LAN interface on 192.168.75.1 just fine.  The WAN doesn't work (obviously) ;)



  • the destination network on the static route should be a /24 not /32 as I suggested if you want the whole 200.200.200.0/24 network to route over the VPN.

    Maybe you need a rule on 192.168.1.1 to allow traffic from 192.168.75.0/24
    Using IPSEC there would be a specific IPSEC tab on the Firewall Rules page but I guess there isn't for Open VPN?

    Anyone else offer a suggestion?



  • This might be a bit hacky.
    I assume you can already communicate between both sides.

    You need on the side on which it works an advanced outbound NAT rule.
    Create one at the top with source the other subnet and interface WAN.
    With this you allow traffic from your side to be NATed to the internet on the other side.

    Now create under the loadbalancer a dummy-pool.
    Save this, downloadnthe config.xml and edit this dummy pool to reflect the tunnelIP of the other side.
    Restore the config.
    On your side create on the firewall lan tab a new rule with as destination the ip(s) you want redirected and as gateway your new loadbalancerpool.

    (sorry writing on iPhone… If you dont understand the part with the poolediting and config.xml search the forum for this. I explainit better elsewhere)


Log in to reply