Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't connect to client network?

    Scheduled Pinned Locked Moved OpenVPN
    20 Posts 2 Posters 8.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyruspy
      last edited by

      Hi, I'm testing a 3 site connection. In my setup, S1 is client for S2 and S2 is client for S3. The thing is I can ping from LAN1 to LAN2, from LAN2 to LAN3, from LAN3 to LAN2 but not from LAN2 to LAN1. There are no messages in in the firewall logs and fw2 has a route defined for LAN1, any ideas?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Comming from this thread:
        http://forum.pfsense.org/index.php/topic,23780.0/topicseen.html

        Can you post a few more information?
        I assume you're using a PSK setup.
        Did you add all the needed routes in the custom options field? Or where did you configure them?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • C
          cyruspy
          last edited by

          Hi!, according to the recommendation from the book for site-to-site setups, i'm using shared keys. This is what i've done so far:

          Site1
                  LAN: 192.168.1.1
                  WAN [link]: 10.10.1.1
          Site2
                  LAN: 192.168.2.1
                  OPT1 [link]: 10.10.1.2
                  WAN [link]: 10.20.1.2
          Site3
                  LAN: 192.168.3.1
                  OPT1 [link]: 10.20.1.3
                  WAN
          
          [code]#
          # S1
          #
          - Configurar WAN
                  Type: Static
                  IP address: 10.10.1.1
                  Gateway:
                  Uncheck: Block Private Networks
                  Uncheck: Block Bogon Networks
          - Setup LAN
          - Setup VPN
                  VPN --> OpenVPN --> Client --> add
                          * Server address: 10.10.1.2
                          * Interface IP: 172.31.54.0/30
                          * Remote network: 192.168.2.0/24
                          * Shared key: (paste)
                          * Description: Link to site 2
                          save --> Apply changes
          - Disable NAT
                  Firewall --> NAT --> Outbound
                          Manual outbound --> save --> Apply changes
                          # Delete the rule listed --> Apply changes[/code]
          
          [code]#
          # S2
          #
          - Setup WAN
                  Type: Static
                  IP address: 10.20.1.2/24
                  Gateway: 10.20.1.254 ?
                  Uncheck: Block Private Networks
                  Uncheck: Block Bogon Networks
          - Setup LAN
          - Add OPT1, setup, enable
                  Type: Static
                  IP address: 10.10.1.2/24
                  Gateway:
                  Check: Disable userland ftp helper
          - Setup VPN to Site 1
                  VPN --> openVPN --> add
                          * Address Pool: 172.31.54.0/30
                          * Remote network: 192.168.1.0/24
                          * Shared key:  (paste)
                          * Description: Link to site 1
                          save --> Apply changes
          - Setup VPN to Site 3
                  VPN --> OpenVPN --> Client -->  add tunnel
                          * Server Address: 10.20.1.3
                          * Interface IP: 172.31.55.0/30
                          * Remote network: 192.168.3.0/24
                          * Shared key: (paste)
                          * Custom options: lport 1195
                          * Description: Link a sucursal 3
                          save --> Apply changes
          
          - Disable NAT
                  Firewall --> NAT --> Outbound
                          Manual outbound --> save --> Apply changes
                          # Delete the listed rule --> Apply changes
          
          - Allow VPN to be set
                  Firewall --> Rules --> OPT1 --> Add
                          Protocol: UDP
                          Source 10.10.1.1
                          Destination: OPT1 address
                          Destination port: OpenVPN
                          Descripcion[/code]
          
          [code]
          #
          # S3
          #
          
          - Setup WAN
                  Type: Static
                  IP address: Public IP?
                  Gateway: ?
          - Setup LAN
          - Add OPT1, setup, enable
                  Type: Static
                  IP address: 10.10.1.3/24
                  Gateway:
                  Check: Disable userland ftp helper
          - Setup VPN to Site 3
                  VPN --> OpenVPN --> add
                          * Address pool: 172.31.55.0/30
                          * Remote network: 192.168.2.0/24
                          * Shared key: (paste)
                          * Description:
                          save --> Apply changes
          - Allow VPN to be setup
                  Firewall --> Rules --> OPT1 --> Add
                          Protocol: UDP
                          Source 10.20.1.2
                          Destination: OPT1 address
                          Destination port: OpenVPN
                          Descripcion[/code]
          
          I just wanted to setup basic conectivity like this first:
          
          Site1 <--> Site2 (works only Site1 --> Site2)
          Site2 <--> Site3 (works)
          
          The idea is to route everything to internet connection at Site3, where I'll be using transparent squid.[/link][/link][/link][/link]
          
          1 Reply Last reply Reply Quote 0
          • C
            cyruspy
            last edited by

            This are the routes created from the above setup. I haven't add any static route yet.

            FW1

            I see that now the route for LAN2 is missing and apparently the VPN is not working. I'm checking this right now…

            FW2

            FW3

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              You cannot ping from LAN2 to LAN1 because on FW1 you obviously dont have any routing table entries to answer back.
              Are you sure that you have filled in the "remote network" field there?

              In the GUI you have the field: "Remote network".
              This allows you to add a single network which gets routed to the other side of the tunnel.
              Behind the scene this creates in the config file something along the line of:
              route 192.168.1.0 255.255.255.0

              You can add in the custom options field as many additional such route's as you want. (Limited by the routing table).

              If you want to redirect everything you can go at this like this:

              route IP_of_other_side_of_link 255.255.255.255;
              route 0.0.0.0 128.0.0.0;
              route 128.0.0.0 128.0.0.0;

              The first route makes sure that the other side is always reachable.
              The second and third rule create a kind of "new default gateway" without killing the original default gateway.
              These routes are added dynamically when the link comes up.
              When the link dies they get removed from the routing table.

              So basically in your setup:
              S1:
              Create these 3 rules with the /32 route pointing to S2

              S2:
              Create the same 3 rules with the /32 pointing to S3
              Also create here a rule for the 192.168.1.0/24 subnet. (route 192.168.1.0 255.255.255.0)

              S3:
              Here you dont need the "redirect everything" rules.
              Just two rules for S1 and S2
              –>
              route 192.168.1.0 255.255.255.0;
              route 192.168.2.0 255.255.255.0;

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • C
                cyruspy
                last edited by

                "Fixed" FW1 with a reboot:

                I can ping again from Site1 to Site2, the other way still doesn't work

                1 Reply Last reply Reply Quote 0
                • GruensFroeschliG
                  GruensFroeschli
                  last edited by

                  Did you disable automatic rule-generation for the VPN?
                  If so: Did you assign the interface with as IP "none"?
                  Also did you create rules actually allowing ICMP (not just tcp/udp)?

                  If you assign the interfaces.
                  It's a good idea to add to the OpenVPN config the line:
                  dev tunXXX
                  where XXX is a number you can define.
                  If you dont do this the tunnels will come up with a non-deterministic number.
                  Making it hard to assign and create rules.
                  If you fix them to a tun you can be sure you always have the same tunnel on the same tun.

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • C
                    cyruspy
                    last edited by

                    I didn't disable automatic rule-generation, at least not explicitly. How can I check that?
                    Edit: Found the option in System –> Advanced, it's not disabled

                    From what I understand, I should add this options:

                    FW1 as client
                    route 192.168.2.1 255.255.255.255;
                    route 0.0.0.0 128.0.0.0;
                    route 128.0.0.0 128.0.0.1;

                    FW2 as client
                    route 192.168.3.1 255.255.255.255;
                    route 0.0.0.0 128.0.0.0;
                    route 128.0.0.0 128.0.0.1;

                    FW3 as server
                    route 192.168.1.1 255.255.255.255;
                    route 192.168.2.1 255.255.255.255;

                    Is this correct?

                    After those changes:

                    Ping LAN1 --> LAN2: works
                    Ping LAN2 --> LAN1: doesn't work
                    Ping LAN2 --> LAN3: works
                    Ping LAN3 --> LAN2: doesn't work (that's new)
                    Ping LAN1 --> LAN3: doesn't work
                    Ping LAN3 --> LAN1: Works!!! (that's new)

                    Edit: "Ping LAN3 --> LAN2" works again, without modifications  ???

                    1 Reply Last reply Reply Quote 0
                    • C
                      cyruspy
                      last edited by

                      Routes after above changes

                      Site1

                      Site2

                      Site3

                      1 Reply Last reply Reply Quote 0
                      • GruensFroeschliG
                        GruensFroeschli
                        last edited by

                        Ugh. It's getting hard to do this all in my head ^^"

                        Sorry i messed up your routing table :D I just noticed i wrote an error before.
                        You need to redirect everything 0.0.0.0/1 and 128.0.0.0/1
                        /1 is 127.0.0.0 and not 127.0.0.1 >_<

                        The /32 (255.255.255.255) routes are not really needed.
                        They just are there to ensure you really send traffic to the other side of the tunnel even if you have a router in between.
                        They dont hurt but for this setup i think you can safely leave them away.

                        Are you sure that 1 and 2 are client and only 3 is the server?

                        Dont you mean
                        Link1-2: 1 is client, 2 is server
                        Link2-3: 2 is client, 3 is server
                        ?

                        I'll try to write up a list of how your custom routes should look like:
                        Your link-pool is according to http://forum.pfsense.org/index.php/topic,23854.msg122952.html#msg122952

                        S1-client:
                        route 0.0.0.0 127.0.0.0;
                        route 128.0.0.0 127.0.0.0;
                        dev tun12;

                        S2-server:
                        route 192.168.1.0 255.255.255.0;
                        dev tun21;

                        S2-client:
                        route 0.0.0.0 127.0.0.0;
                        route 128.0.0.0 127.0.0.0;
                        dev tun23;

                        S3-server:
                        route 192.168.2.0 255.255.255.0;
                        route 192.168.3.0 255.255.255.0;
                        dev tun32;

                        If you deactivated automatic rule generation you need to assign the new tun interfaces (firewall –> assign).
                        After assigning them you need to activate it on it's config page.
                        Put as IP "none" and leave the gateway field empty.
                        Then create firewall rules on the new interface.

                        We do what we must, because we can.

                        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                        1 Reply Last reply Reply Quote 0
                        • C
                          cyruspy
                          last edited by

                          Thanks for being patient!.

                          Are you sure that 1 and 2 are client and only 3 is the server?

                          I meant I only setup the client parameters for fw2, as the route to LAN1 should be setup using the remote network parameter.
                          This is correct:

                          Dont you mean
                          Link1-2: 1 is client, 2 is server
                          Link2-3: 2 is client, 3 is server?
                          
                          
                          I'll try to write up a list of how your custom routes should look like:
                          

                          Fixed the configuration as suggested.

                          
                          If you deactivated automatic rule generation you need to assign the new tun interfaces (firewall --> assign).
                          

                          I haven't disable the automatic rule generation, should I?

                          This are the routes now:

                          FW1

                          FW2

                          FW3

                          This doesn't work:

                          Ping LAN1 –> LAN3
                          Ping LAN2 --> LAN1

                          1 Reply Last reply Reply Quote 0
                          • GruensFroeschliG
                            GruensFroeschli
                            last edited by

                            Well if you don't, you don't have the option to create firewall rules for the OpenVPN interface.

                            So yes i would activate that, but later.
                            For now we need to get routing up and running correctly.

                            How exactly are you testing if your tunnels are up?
                            Did you connect clients in the LAN subnet?
                            Or are you pinging from the pfSenses directly?

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • C
                              cyruspy
                              last edited by

                              I have as client:

                              LAN1: Linux VM
                              LAN2: Windows VM
                              LAN3: Linux VM

                              Tested from LAN clients and also from FW in each site

                              1 Reply Last reply Reply Quote 0
                              • GruensFroeschliG
                                GruensFroeschli
                                last edited by

                                Sorry i only just saw your screenshots.
                                I wrote an error again.
                                I saw in your first screenshots that you had as subnet for the overwriting subnet /80000001
                                This was wrong. I didn't realize that it was because of 127.0.0.1.
                                Now with 128.0.0.0 it's 7f000000 which is just as bad…
                                It should just be /1 (or 80000000). So in the end it really has to be 127.0.0.0
                                Sorry.

                                We do what we must, because we can.

                                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cyruspy
                                  last edited by

                                  That would be something like this?

                                  S1-client:
                                  route 0.0.0.0 127.0.0.0;
                                  route 127.0.0.0 127.0.0.0;
                                  dev tun12;
                                  
                                  S2-server:
                                  route 192.168.1.0 255.255.255.0;
                                  dev tun21;
                                  
                                  S2-client:
                                  route 0.0.0.0 127.0.0.0;
                                  route 127.0.0.0 127.0.0.0;
                                  dev tun23;
                                  
                                  S3-server:
                                  route 192.168.1.0 255.255.255.0;
                                  route 192.168.2.0 255.255.255.0;
                                  dev tun32;
                                  
                                  1 Reply Last reply Reply Quote 0
                                  • GruensFroeschliG
                                    GruensFroeschli
                                    last edited by

                                    More like this:

                                    S1-client:
                                    route 0.0.0.0 128.0.0.0;
                                    route 128.0.0.0 128.0.0.0;
                                    dev tun12;

                                    S2-server:
                                    route 192.168.1.0 255.255.255.0;
                                    dev tun21;

                                    S2-client:
                                    route 0.0.0.0 128.0.0.0;
                                    route 128.0.0.0 128.0.0.0;
                                    dev tun23;

                                    S3-server:
                                    route 192.168.1.0 255.255.255.0;
                                    route 192.168.2.0 255.255.255.0;
                                    dev tun32;

                                    We do what we must, because we can.

                                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      cyruspy
                                      last edited by

                                      Wasn't that already tested?

                                      Ref: http://forum.pfsense.org/index.php/topic,23854.msg122983.html#msg122983

                                      1 Reply Last reply Reply Quote 0
                                      • GruensFroeschliG
                                        GruensFroeschli
                                        last edited by

                                        Not according to the screenshot of the routes you posted in the link.
                                        You have as subnet /7F000000 which is wrong. It should be /80000000 ( displayed as /1 )

                                        We do what we must, because we can.

                                        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          cyruspy
                                          last edited by

                                          Double checked, the above configuration gives 0.0.0.0/7F00000

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            cyruspy
                                            last edited by

                                            For the record, got working the 3-site routed VPN with this changed topology:
                                            Site1 <-> Site2 <-> Site3 <-> Site1

                                            The missing bit was to add routes for the Site2 FW before redirecting the default gw on the other two sites.

                                            FW1
                                            LAN1: 192.168.1.0
                                            WAN: 10.10.1.2 --> intersite gw: 10.10.1.1
                                            
                                            LAN2: 192.168.2.0
                                            OPT1: 10.10.2.2 --> intersite gw: 10.10.2.1
                                            WAN: Internet
                                            
                                            LAN3: 192.168.3.0
                                            WAN: 10.10.3.2 --> intersite gw: 10.10.3.1
                                            

                                            Site1 as client:

                                            route 10.10.2.0 255.255.255.252 10.10.1.1;
                                            route 10.10.3.0 255.255.255.252 10.10.1.1;
                                            route 0.0.0.0 128.0.0.0;
                                            route 128.0.0.0 128.0.0.0;
                                            dev tun12;
                                            

                                            Site1 as server:

                                            route 192.168.3.0 255.255.255.0;
                                            dev tun13;
                                            

                                            Site2 as client:

                                            route 192.168.1.0 255.255.255.0;
                                            dev tun21;
                                            

                                            Site2 as server:

                                            route 192.168.3.0 255.255.255.0;
                                            dev tun23;
                                            

                                            Site3 as server:

                                            route 10.10.1.0 255.255.255.252 10.10.3.1;
                                            route 10.10.2.0 255.255.255.252 10.10.3.1;
                                            route 0.0.0.0 128.0.0.0;
                                            route 128.0.0.0 128.0.0.0;
                                            dev tun32;
                                            

                                            Site3 as client:

                                            route 192.168.1.0 255.255.255.0;
                                            dev tun31;
                                            

                                            Thanks a lot to GruensFroeschli for the tip about redirecting default gw. Just out of curiosity, the two routes for that trick do the same as "redirect-gateway def1"?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.