• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Nat & routing on OPENVPN

Scheduled Pinned Locked Moved NAT
4 Posts 3 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    stemond
    last edited by Nov 8, 2010, 8:09 PM

    Hey NG,

    i don't know if here the best NG for my problem,
    I am new at PFsense. I am planning my Remote Access to office by OPENVPN.
    The tunnel comes up. i can ping local interface of PFSENSE firewall but i can't routing LAN server.
    This is my situation

    LAPTOPS(192.168.19.0/24)–WAN -- ROUTER -- PFSENSE (STATIC NAT with public IP) --  SERVERS LANS (192.168.126.0/24)

    i added routing rules on servers lans but i don't route  :(
    I tested with tcpdump on Pfsense and packets arrive but don't routing
    Can you hint me where is the problem ?

    With IPSEC VPN all works....
    Thanks to all
    Stefano

    1 Reply Last reply Reply Quote 0
    • H
      Hypnus
      last edited by Nov 12, 2010, 8:21 AM Nov 11, 2010, 5:15 PM

      Hello,
      I kind of have the same problem but with a spin:

      • pfSense at one office (office 1) with OpenVPN server and one at another office (office 2) with OpenVPN client set (OVPN from site to site)
        I can ping the office 2 pfSense but I cannot access the LAN behind it but the other way around works, so from the office 2 LAN i can access the office 1 LAN

      Does anyone has an idea about it.
      I'm also kind of new to pfSense so I mite have made a silly mistake in the configuration but I cannot see what.

      Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • T
        torontob
        last edited by Nov 19, 2010, 9:48 PM

        Can you guys post your configuration on both server and client side?

        1 Reply Last reply Reply Quote 0
        • H
          Hypnus
          last edited by Nov 25, 2010, 4:30 PM Nov 24, 2010, 1:16 PM

          Hi, yes i will but i'll need a bit of time to get all the infos from the configuration.
          Thank you very much for your interest in our problem.

          OK the information on the 2 firewalls and the network:
          ** They are linked with a Site-to-Site VPN, and a MS Domain is working through it (not sure if this is important)

          1. The main Firewall:
               - 2 interfaces: WAN(static ip) and LAN(No bridging, 192.168.3.100/24, Disable the userland FTP-Proxy application)
               - Firewall: only configured rules as:
                   LAN: pass (there was a second network but it is no longer so this is kind of useless)

          | * | LAN net | * | 192.168.1.0/24 | * | * | | to 192.168.1.x |
          | * | 192.168.1.0/24 | * | * | * | * | | 192.168.1.x subnet |
          | * | LAN net | * | * | * | * | | Default LAN -> any   |

          WAN: pass

          | * | * | * | * | * | * | | pass in all test rule |
          | TCP/UDP | * | * | * | 443 (HTTPS) | * | | Allow TCP/UDP to OpenVPN Server Port |
          | TCP/UDP | * | * | * | 1191 | * | | Allow TCP/UDP to OpenVPN Server Port |

          PPTP VPN: pass

          | * | PPTP clients | * | * | * | * | | allows incoming PPTP   |

          IPSEC: pass

          | * | * | * | * | * | * | | Permit IPSEC |

          • Services: default
            Enable DHCP server on LAN interface: FALSE
            Subnet 192.168.3.0
            Subnet mask 255.255.255.0
            Available range: (192.168.3.0 - 192.168.3.255 ) - default readonly

          • VPN:

          • IPsec
            Tunnels: Enabled IPsec
            Mobile clients: Allow mobile clients:FALSE (basic config)
          • PPTP: Enabled PPTP server
            Server address : xx.xx.xx.xx
            Remote address range: 192.168.50.x/28
            ….
            WINS server: 192.168.3.128
          • OpenVPN : Server
            1. No TCP 192.168.10.0/24 ovpn
            ** For external connections via OpenVPN client application
            Protocol: TCP
            Dymanic IP : true
            Local port: 443
            Address pool: 192.168.10.0/24
            Local network: 192.168.3.0/24

          Cryptography: BF-CBC(128bit)
          Authentication method: PKI

          DHCP-Opt.: DNS-Server: 192.168.3.128

          Custom options:push "dhcp-option DNS 192.168.3.128";push "dhcp-option DNS 192.168.3.129";push "dhcp-option WINS 192.168.3.128"; push "route 192.168.9.0 255.255.255.0";

          2. No TCP 192.168.11.0/24 Office 2 Server
          Protocol: TCP
          Dymanic IP : true
          Local port: 1191
          Address pool: 192.168.11.0/24
          Remote network: 192.168.9.0/24

          Cryptography: BF-CBC(128bit)
          Authentication method: Shared key

          DHCP-Opt.: NetBIOS node type: none

          LZO compression: true

          Description: Office 2

          ALL THE REST THAT ARE NOT DISPLAYED EITHER ARE NOT SET OR DISABLED

          1. The client, office 2, Firewall:
          • System: there are 4 static routes, like 160.58.134.x, which point to the office 1 firewall 192.168.3.100
               - 2 interfaces: WAN(static ip) and LAN(No bridging, 192.168.9.100/24, Disable the userland FTP-Proxy application)
               - Firewall: only configured rules as:
                   LAN: nothing
            WAN: pass

          | TCP/UDP | * | * | * | 1191 | * | | Tunnel |

          • Services: default
            Enable DHCP server on LAN interface: TRUE
            Subnet 192.168.9.0
            Subnet mask 255.255.255.0
            Available range 192.168.9.0 - 192.168.9.255

          • VPN:

          • IPsec
            Tunnels: Enabled IPsec: FALSE (not enabled)
          • PPTP: Off
          • OpenVPN : Client
            No Firewall_1_WAN_IP TCP  Tunnel Connection 2 Office 1
            Protocol: TCP
            Server address : Firewall_1_WAN_IP (xx.xx.xx.xx)
            Server port: 1191
            Interface IP: 192.168.11.0/24
            Remote network: 192.168.3.0/24

          Proxy port: 3128

          Cryptography: BF-CBC(128bit)
          Authentication method: Shared key

          LZO compression: true

          Description: Tunnel 2 Office 1

          The rest is common configuration, default.
          So there is the office 1 network and the office 2 network, and then there are the ones for Site-to-Site VPN (192.168.11.x) and the one for the exterior VPN connection (192.168.10.x) - in which the clients can see each other even if they are in Office 1 or Office 2, what and where should I add a routing for the Office 1 to see the Office 2 clients?

          Note: No client from the office 1 can access the network at office 2 and no client from the office 2 can access its network mates if they have activated the OpenVPN Client App (which connects to the Office 1 VPN 1)

          Thank you very much

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received