Routing thru openVPN tunnel

  • I've established a site-2-site openVPN tunnel between 2 pfSense boxes. Everything seems to work fine with 1 exception; I can't reach site A Opt segment from site B Opt segment. The reverse route (I can ping from network) and routing between the LAN segments work fine. Below is a sketch of my tunnel settings. Any insights would be appreciated!

    Site A (1.2.3-RC1)                                              Site B (1.2.2)
    (server, PSK)-tun: <–-------------------> tun:
    LAN:                                            LAN:
    Opt1:                                          Opt1:
    Custom option: route                    Custom option: route

    Firewall rules are set to allow traffic leaving Site B Opt1 interface destined for Site A Opt1 interface, and accept traffic coming from Site A Opt1, and vice versa.

  • Could you show a screenshot of your firewall rules On site B ?

    The way you describe your rules leads me to believe that you missconfigured them ( there is no such thing as "allow traffic out the OPT")

    what can you access
    from the 0.0 subnet?

  • I attached the screenshot of fw rule on site B. From 0.0 subnet I can ping other hosts within this segment; this is a restricted subnet in which no traffic is allowed to go in/out, except traffic on port 6515 from Site B LAN (as indicated in the rules.)

  • The only rule in your screenshot that actually does something is the first.
    All others do nothing.

    Rules are applies on inbound traffic.
    Since you will never have traffic from the OPT1 not TO the OPT1 net on the pfSense this is useless.
    You also will never have incomming traffic from the 40.0/24 subnet here. (only outgoing).
    The same for the last rule. Also: "LAN address" means exactly that. The IP of the pfSense on it's LAN interface.

    Why you cannot ping: You dont have a rule allowing pings, only TCP. Pings Are ICMP.

    Suggestion: Delete all rules except the first and change there the protocol to any.

    What exaclty did you try to achieve with the last rule?
    Traffic to port 6515 is outbound allowed?
    Or inbound?
    Then such a rule would have to go to the interface on which such traffic comes in.

  • got all sorted out. Thank you!

Log in to reply