Once VPN is established, cannot access second (backup) pfsense



  • hello,

    i have my VPN up and running.  when i am connected to it, i can access my first pfsense box by using the LAN ip, and i can access other hosts on the LAN too.  however, i cannot access the second pfsense box (CARP backup) using its LAN address.  if i ssh to another box on the LAN, i can use lynx and access the backup just fine… just not through the VPN.  i notice also on the backup that the OpenVPN connection has not been synchronized over.... so if my master goes down then my VPN goes down too, that shouldn't be.

    this is pfsense-1.2.3.  thanks

    edit:  when i say 'cannot access' i mean, i type the address into the address bar and wait, and wait wait wait... after a while i think firefox says the host is taking too long to respond.  the VPN is setup on debian lenny using NetworkManager 0.6.6.


  • Rebel Alliance Developer Netgate

    OpenVPN doesn't sync on 1.2.3, you'd have to set that up manually.

    As for accessing the box, it's likely that it doesn't have a route back to you. It doesn't have a route to the OpenVPN subnet in its routing table, so it would try to sent it out the default gateway (WAN) which is wrong.

    You'd have to assign the OpenVPN interface as an OPT interface, and setup some NAT rules which would translate the OpenVPN traffic to an IP on the LAN when trying to access the backup, and that should work.

    Or you could do an ssh port forward to get the job done also.



  • hmm well i am already using the OPT interfaces for the CARP syncing, so there is not yet a way to access the Web GUI of the backup through the VPN?

    if i create the same OpenVPN on the backup, is that going to cause any conflicts with the master?  if so, what would be the correct way to setup a redundant OpenVPN?


  • Rebel Alliance Developer Netgate

    You need to setup the second OpenVPN instance manually, and on both of them, in the custom options put "local x.x.x.x;" where x.x.x.x is the CARP VIP on WAN.

    It doesn't really matter how you try to reach the secondary, its routing won't find its way back to the master from a VPN like that.

    A couple ways around it:
    1. Put the master and slave OpenVPN instance on a separate subnet, and add a static route to the opposing router for that subnet
    or
    2. Assign the OpenVPN interface as an opt interface, and setup NAT so that the traffic coming from OpenVPN and going to the secondary router has NAT applies such that it leaves from a VIP on the LAN side, so the secondary will only see that the traffic is coming from a LAN host and it should be able to get back to the source then.


Log in to reply