Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Slightly strange setup :: help/pointers appreciated

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shamims
      last edited by

      Hello all

      I have earlier posted it in the IPSec forum, as I was trying to achieve the goals via IPSec. I have failed so far. Reading other posts in this forum I felt that OpenVPN might be a better choice for what I want. Below is a diagram of what I am trying to do.

      the connection diagram would look like this

      x.y.z.69
                                                    |
                                                    |a1
                                        –----------------
                                        |  pfSense box 1  |
                                        ------------------
                                                    |a2  |  192.168.3.1
                                                    |
                          private network    |
                            192.168.3.0/24 __|
                                                  |
                                                  |
                                                  | b1  |  192.168.3.2
                                        ------------------
                                        |  pfSense box 2  |
                                        ------------------
                                                  |b2  |  10.0.0.1
                          private network  |
                            10.0.0.0/24  ___|

      In simple terms, I need all traffic from 10.0.0.0 network to end up via a secured tunnel in the realIP land, with a NAT to the external world. people on 192 network should not be able to read packets verbatim from 10 network, neither the 10 network should be reading anything on the 192 network (the two network must remain isolated always).

      However, there are two hosts in the 10 network that will need to be accessed by 192 network people, which i believe can be achived via 1:1 mapping.

      What I tried to do for testing is like below

      I have set up four virtual machines for testing, the diagram now goes like this

      ---------  172.16.0.1                172.16.0.2  ---------    192.168.13.20
      -----------|  box a  |---------------------------------|  box b  |---------|OPT1 10.2
                      ---------  a1                                      b1  --------  b2          |
                                                                                                                | OpenVPN tunnel
                                                                                                                | using 172.16.10.0/27
                      ---------  d1                                        c2 ---------  c1        |
      -----------|  box d  |---------------------------------|  box c  |---------| OPT1 10.1
                      ---------  172.16.13.1            172.16.13.3  --------    192.168.13.19

      FYI,  box a has a1 LAN
            box b has b1 wan, b2 lan
            box c has c1 lan, c2 wan
            box d has d1 lan

      The tunnel is up, and the routing tables from the 4 boxes are like below

      box a:
      Routing tables

      Internet:
      Destination        Gateway            Flags    Refs      Use  Netif Expire
      127.0.0.1          link#5            UH          0    5448    lo0
      172.16.0.0/24      link#2            U          0    6594    le1
      172.16.0.1        link#2            UHS        0        0    lo0
      172.16.13.0/24    172.16.0.2        UGS        0      37    le1
      192.168.56.0/24    link#1            U          0        1    le0
      192.168.56.101    link#1            UHS        0        0    lo0

      box b:
      Routing tables

      Internet:
      Destination        Gateway            Flags    Refs      Use  Netif Expire
      default            172.16.0.1        UGS        0    3051    le0
      127.0.0.1          link#5            UH          0      97    lo0
      172.16.0.0/24      link#1            U          0        1    le0
      172.16.0.1        08:00:27:1f:a6:cb  UHS        0    6718    le0
      172.16.0.2        link#1            UHS        0        0    lo0
      172.16.10.1        link#7            UH          0        7 ovpnc1
      172.16.10.2        link#7            UHS        0        0    lo0
      172.16.13.0/24    172.16.10.1        UGS        0      30 ovpnc1
      192.168.13.0/27    link#2            U          0    3349    le1
      192.168.13.20      link#2            UHS        0        0    lo0

      box c:
      Routing tables

      Internet:
      Destination        Gateway            Flags    Refs      Use  Netif Expire
      default            172.16.13.1        UGS        0        0    le1
      127.0.0.1          link#5            UH          0    4452    lo0
      172.16.0.0/24      172.16.10.2        UGS        0      11 ovpns1
      172.16.10.1        link#7            UHS        0        0    lo0
      172.16.10.2        link#7            UH          0        7 ovpns1
      172.16.13.0/24    link#2            U          0    2804    le1
      172.16.13.3        link#2            UHS        0        0    lo0
      192.168.13.0/27    link#1            U          0    2590    le0
      192.168.13.19      link#1            UHS        0        0    lo0

      box d:
      Routing tables

      Internet:
      Destination        Gateway            Flags    Refs      Use  Netif Expire
      0.0.0.0/8          link#2            U          0        0    le1
      127.0.0.1          link#5            UH          0    5048    lo0
      172.16.0.0/24      172.16.13.3        UGS        0        7    le0
      172.16.13.0/24    link#1            U          0    3152    le0
      172.16.13.1        link#1            UHS        0        0    lo0

      Now time for some traceroute
      from box a, tracing route to box d

      [2.0-BETA5][admin@pfSense.localdomain]/root(3): traceroute 172.16.13.1
      traceroute to 172.16.13.1 (172.16.13.1), 64 hops max, 40 byte packets
      1  172.16.0.2 (172.16.0.2)  4.019 ms  9.434 ms  4.227 ms
      2  172.16.10.1 (172.16.10.1)  20.677 ms  12.546 ms  26.545 ms
      3  * * *
      4  * * *
      ^C
      [2.0-BETA5][admin@pfSense.localdomain]/root(4): traceroute 172.16.13.3
      traceroute to 172.16.13.3 (172.16.13.3), 64 hops max, 40 byte packets
      1  172.16.0.2 (172.16.0.2)  18.063 ms  15.014 ms  3.099 ms
      2  * * *
      3  * * *
      ^C

      ping from box a
      [2.0-BETA5][admin@pfSense.localdomain]/root(5): ping 172.16.13.3
      PING 172.16.13.3 (172.16.13.3): 56 data bytes
      64 bytes from 172.16.13.3: icmp_seq=0 ttl=63 time=12.455 ms
      ^C
      –- 172.16.13.3 ping statistics ---
      1 packets transmitted, 1 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 12.455/12.455/12.455/0.000 ms
      [2.0-BETA5][admin@pfSense.localdomain]/root(6): ping 172.16.13.1
      PING 172.16.13.1 (172.16.13.1): 56 data bytes
      ^C
      –- 172.16.13.1 ping statistics ---
      4 packets transmitted, 0 packets received, 100.0% packet loss

      and a traceroute from box d to a

      [2.0-BETA5][admin@pfSense.localdomain]/root(6): traceroute 172.16.0.1
      traceroute to 172.16.0.1 (172.16.0.1), 64 hops max, 40 byte packets
      1  172.16.13.3 (172.16.13.3)  5.914 ms  4.803 ms  4.672 ms
      2  172.16.10.2 (172.16.10.2)  14.846 ms  12.389 ms  11.773 ms
      3  * * *
      4  * * *
      ^C
      [2.0-BETA5][admin@pfSense.localdomain]/root(7): traceroute 172.16.0.2
      traceroute to 172.16.0.2 (172.16.0.2), 64 hops max, 40 byte packets
      1  172.16.13.3 (172.16.13.3)  5.617 ms  7.013 ms  5.117 ms
      2  * * *
      3  * * *
      ^C

      ping from box d
      [2.0-BETA5][admin@pfSense.localdomain]/root(8): ping 172.16.0.2
      PING 172.16.0.2 (172.16.0.2): 56 data bytes
      64 bytes from 172.16.0.2: icmp_seq=0 ttl=63 time=12.179 ms
      64 bytes from 172.16.0.2: icmp_seq=1 ttl=63 time=12.879 ms
      ^C
      –- 172.16.0.2 ping statistics ---
      2 packets transmitted, 2 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 12.179/12.529/12.879/0.350 ms
      [2.0-BETA5][admin@pfSense.localdomain]/root(9): ping 172.16.0.1
      PING 172.16.0.1 (172.16.0.1): 56 data bytes
      ^C
      –- 172.16.0.1 ping statistics ---
      3 packets transmitted, 0 packets received, 100.0% packet loss

      I have configured the firewalls (box b and c) on all interfaces to pass traffic from any to any, still I cannot ssh/traceroute from a to d or vice versa.

      I am not sure how much (if any) can be deduced from this tests. I am willing to run more tests if directed properly. But still cannot figure out what is going wrong in any of these boxes.

      however, I can ping box a from box c, or d from b, and it pings quite happily.

      Pointers/suggestions are highly appreciated.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.