PfSense to TomatoVPN routing issue. SOLVED!
-
Thanks to this great guide here, I've configured pfSense/OpenVPN at work and connected to it from home via TomatoVPN in a site-to-site configuration.
The pfSense machine is not and can not currently be made the default gateway of the work domain. That said, the connection is easily made and I can ping, SSH, etc. to the pfSense server from home. I can not ping any other machine on the network, nor can the machines at work ping mine at home. If I change their default gateway to the pfSense we can see each other. If I add a route to 192.168.1.0 -> 10.1.1.18 (pfSense Internal IP) at the default gateway they can see me but I still can't see them. It is as if pfSense doesn't know where to send my requests on arrival if it is not the default gateway, even though it's on the same subnet.
Anyone have any idea on a possible solution? Any pointers on DNS, etc. would be great, I haven't had a chance to experiment much as I've been stuck here. Thanks in advance for your time.
My configuration is as follows: (pfSense Server)
Protocol: UDP
Dynamic IP: Checked
Local Port: 1194
Address Pool: 10.8.1.0/24
Client-to-client: Checked
Cryptography: BF-CBC
Authentication: (PKI)
(Keys in place)
LZO: Checked
Custom Options: route 192.168.1.0 255.255.255.0;push "route 10.1.0.0 255.255.0.0"
Desc: site-to-site
Client-specific configuration (pfSense Server)
Common name: (matches key)
Custom options: iroute 192.168.1.0 255.255.255.0
Desc: 192.168.1.0/24VPN-> Client-> Basic (TomatoVPN client)
Interface Type: TUN
Protocol: UDP
Server Addr: (server's WAN ADDR):1194
Firewall: Automatic
Auth Mode: TLS
Extra HMAC: Disabled
Nat on tunnel: Checked
VPN-> Client-> Advanced (TomatoVPN client)
Poll: 0
Accept DNS Conf: Disabled
Encryption: BF-CBC
Compression: Enabled
ReNego: -1
(Keys in Place)Firewall Rules:LAN
- LAN * * * * Default LAN -> any
Firewall Rules:WAN
UDP * * * 194 * -
I've solved my own problem.
The REAL default gateway at work needed a route added for the ADDRESS POOL, not the client side's LAN. Using a route for the client side's LAN allowed them to see me, but not respond to me.
Hope this helps anyone else attempting to configure a similar setup.