Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Routing thru openVPN tunnel

    OpenVPN
    2
    5
    2641
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PV last edited by

      I've established a site-2-site openVPN tunnel between 2 pfSense boxes. Everything seems to work fine with 1 exception; I can't reach site A Opt segment from site B Opt segment. The reverse route (I can ping 192.168.0.xxx from 192.168.40.0 network) and routing between the LAN segments work fine. Below is a sketch of my tunnel settings. Any insights would be appreciated!

      Site A (1.2.3-RC1)                                              Site B (1.2.2)
      (server, PSK)-tun:10.10.192.1 <–-------------------> tun:10.10.192.2-(Client)
      LAN:192.168.5.0/24                                            LAN:192.168.4.0/24
      Opt1:192.168.40.0/24                                          Opt1:192.168.0.0/24
      Custom option: route 192.168.0.0/24                    Custom option: route 192.168.40.0/24

      Firewall rules are set to allow traffic leaving Site B Opt1 interface destined for Site A Opt1 interface, and accept traffic coming from Site A Opt1, and vice versa.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschli
        GruensFroeschli last edited by

        Could you show a screenshot of your firewall rules On site B ?

        The way you describe your rules leads me to believe that you missconfigured them ( there is no such thing as "allow traffic out the OPT")

        what can you access
        from the 0.0 subnet?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • P
          PV last edited by

          I attached the screenshot of fw rule on site B. From 0.0 subnet I can ping other hosts within this segment; this is a restricted subnet in which no traffic is allowed to go in/out, except traffic on port 6515 from Site B LAN (as indicated in the rules.)


          1 Reply Last reply Reply Quote 0
          • GruensFroeschli
            GruensFroeschli last edited by

            The only rule in your screenshot that actually does something is the first.
            All others do nothing.

            Rules are applies on inbound traffic.
            Since you will never have traffic from the OPT1 not TO the OPT1 net on the pfSense this is useless.
            You also will never have incomming traffic from the 40.0/24 subnet here. (only outgoing).
            The same for the last rule. Also: "LAN address" means exactly that. The IP of the pfSense on it's LAN interface.

            Why you cannot ping: You dont have a rule allowing pings, only TCP. Pings Are ICMP.

            Suggestion: Delete all rules except the first and change there the protocol to any.

            What exaclty did you try to achieve with the last rule?
            Traffic to port 6515 is outbound allowed?
            Or inbound?
            Then such a rule would have to go to the interface on which such traffic comes in.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • P
              PV last edited by

              got all sorted out. Thank you!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post