OpenVPN Routing with Multi-WAN/LAN
-
I believe this is an OpenVPN question, but I am using pfSense v2.0 BETA-4. If the mods feel this is better placed in the 2.0 BETA forum, please move it.
I'm trying to connect two sites together using site-to-site, PKI, routed, OpenVPN. The site hosting the OpenVPN servers (Site 1) has two WANs (both static IPs with unique gateways). Each OpenVPN server is bound to its corresponding WAN interface. The client site (Site 2) has a single WAN and spawns two OpenVPN clients to Site 1 (one client to connect to each OpenVPN server running at Site 1). Both sites are running pfSense and have two VLANs behind pfSense. See the attached diagram for the basic layout. The endgame is for all VLANs to have access to each other.
The "additional options" for the OpenVPN server on WAN1 are:
push "route 192.168.1.0 255.255.255.0";
route 192.168.2.0 255.255.255.0;and the corresponding "client specific options" for the connecting site is:
iroute 192.168.2.0 255.255.255.0;
Similarly, the "additional options" for the OpenVPN server on WAN2 are:
push "route 172.16.1.0 255.255.255.0";
route 172.16.2.0 255.255.255.0;and the corresponding "client specific options" for the connecting site is:
iroute 172.16.2.0 255.255.255.0;
For testing purposes, all traffic on all interfaces have a single rule which allows everything (see attchement).
The problem:
The OpenVPN clients from Site 2 connect to the OpenVPN server at Site 1 without issue. Machines on Site 2/VLAN1 can communicate with machines on Site 1/VLAN1 and vice versa. Similarly, machines on Site 2/VLAN2 can communicate with machines on Site 1/VLAN2 and vice versa. However, machines from Site 2/VLAN1 cannot communicate with machines on Site 1/VLAN2 and machines from Site 2/VLAN2 cannot communicate with machines on Site 1/VLAN1. (I hope that wasn't too confusing.)
If I SSH into each of the pfSense machines, I can access all four VLANs. Additionally, the routing tables on both pfSense machines look to be correct.
I can get all four VLANs talking to each other by duplicating the routes pushed by each OpenVPN server. So, the OpenVPN server on both WAN1 and WAN2 would have the "additional options" of:
push "route 192.168.1.0 255.255.255.0";
route 192.168.2.0 255.255.255.0;
push "route 172.16.1.0 255.255.255.0";
route 172.16.2.0 255.255.255.0;The problem with this is traffic originating from Site 2/VLAN1 destined for Site 1/VLAN2 might travel along the tunnel bound to Site 1's WAN1 and not Site 1's WAN2 as it should. This will depend up which tunnel from Site 2 was connected first to Site 1 (and therefore, take precedence).
VLAN2 at both locations is used for VoIP while VLAN1 is used for data, so I don't want data traffic accidentally leaking into the VoIP tunnel. At the same time, people at both locations will need to access their phones (located on VLAN2) from their computers (located on VLAN1) to configure certain features.
Can anyone see why the above is not working correctly, and if so, point out what I'm missing? I know the above is somewhat confusing, so if any clarification is needed, please let me know.
![Allow Rule.png](/public/imported_attachments/1/Allow Rule.png)
![Allow Rule.png_thumb](/public/imported_attachments/1/Allow Rule.png_thumb)