OpenVPN traffic from behind Server to one of two remote endpoints doesn't route



  • All firewall/gateway systems are using pfSense 1.2.3-RELEASE.

    OpenVPN server at "home office" - 172.16.0.0/24 (In a CARP setup, incidentally, but running on master)

    OpenVPN client at "remote office 1" - 10.2.105.0/24

    OpenVPN client at "remote office 2" - 172.31.2.0/24 (also in a CARP setup, running on master)

    Setup is PKI, all tunnels establish properly.  OpenVPN server itself can ping / connect to everything as-expected, but clients at "home office" behind the pfSense box can't communicate with clients at "remote office 2"

    Routes appear to be built correctly.  Each "client-specific configuration" is set as I believe is correct - 'remotesite1' ID on server with "iroute 10.2.105.0 255.255.255.0" and "remotesite2" with "iroute 172.31.2.0 255.255.255.0"

    Routes, visible with netstat -rn - direct attached devices and unrelated routes / interfaces removed.

    Home Office (server)

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            X.X.X.1        UGS        0    66465  fxp0
    10.2.105.0/24      10.222.58.2        UGS        0    10554  tun0
    10.222.58.0/24    10.222.58.2        UGS        0        0  tun0
    10.222.58.2        10.222.58.1        UH          3        0  tun0
    127.0.0.1          127.0.0.1          UH          0        0    lo0
    172.16.0.0/24      link#9            UC          0        0  vlan1
    172.31.2.0/24      10.222.58.2        UGS        0        0  tun0

    Remote 1

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            y.y.y.193      UGS        0 321579527  vlan0
    10.2.105.0/24      link#4            UC          0        0  fxp3
    10.2.105.1        10.2.105.1        UH          0        0  carp1
    10.222.58.1/32    10.222.58.9        UGS        0        0  tun0
    10.222.58.9        10.222.58.10      UH          2        0  tun0
    127.0.0.1          127.0.0.1          UH          0        0    lo0
    172.16.0.0/24      10.222.58.9        UGS        0    9976  tun0

    Remote 2

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            z.z.z.49      UGS        0    56180    em1
    10.222.58.1/32    10.222.58.5        UGS        0        0  tun0
    10.222.58.5        10.222.58.6        UH          2        0  tun0
    127.0.0.1          127.0.0.1          UH          0        0    lo0
    172.16.0.0/24      10.222.58.5        UGS        0        0  tun0
    172.31.2.0/24      link#1            UC          0        0    em0

    –--

    Behavior when  pinging from workstations to remote-2 sites from behind the home-office is to get NATed out rather than routed.

    i.e. if I traceroute -n, I get my first hop as my WAN-side (public IP) Gateway.

    I do have 'auto-generated VPN rules' disabled on the server, but the tun0 firewall rules are 'allow all out' - i even set it to 'allow all' to test.

    I can provide openVPN configs if it's helpful, but I've compared remote 1 and remote 2- the config files are identical.

    Server is dual-WAN, though I have 'local wan2 ip' in my custom options on the server.


Locked