Slightly strange setup :: help/pointers appreciated



  • Hello all

    I have earlier posted it in the IPSec forum, as I was trying to achieve the goals via IPSec. I have failed so far. Reading other posts in this forum I felt that OpenVPN might be a better choice for what I want. Below is a diagram of what I am trying to do.

    the connection diagram would look like this

    x.y.z.69
                                                  |
                                                  |a1
                                      –----------------
                                      |  pfSense box 1  |
                                      ------------------
                                                  |a2  |  192.168.3.1
                                                  |
                        private network    |
                          192.168.3.0/24 __|
                                                |
                                                |
                                                | b1  |  192.168.3.2
                                      ------------------
                                      |  pfSense box 2  |
                                      ------------------
                                                |b2  |  10.0.0.1
                        private network  |
                          10.0.0.0/24  ___|

    In simple terms, I need all traffic from 10.0.0.0 network to end up via a secured tunnel in the realIP land, with a NAT to the external world. people on 192 network should not be able to read packets verbatim from 10 network, neither the 10 network should be reading anything on the 192 network (the two network must remain isolated always).

    However, there are two hosts in the 10 network that will need to be accessed by 192 network people, which i believe can be achived via 1:1 mapping.

    What I tried to do for testing is like below

    I have set up four virtual machines for testing, the diagram now goes like this

    ---------  172.16.0.1                172.16.0.2  ---------    192.168.13.20
    -----------|  box a  |---------------------------------|  box b  |---------|OPT1 10.2
                    ---------  a1                                      b1  --------  b2          |
                                                                                                              | OpenVPN tunnel
                                                                                                              | using 172.16.10.0/27
                    ---------  d1                                        c2 ---------  c1        |
    -----------|  box d  |---------------------------------|  box c  |---------| OPT1 10.1
                    ---------  172.16.13.1            172.16.13.3  --------    192.168.13.19

    FYI,  box a has a1 LAN
          box b has b1 wan, b2 lan
          box c has c1 lan, c2 wan
          box d has d1 lan

    The tunnel is up, and the routing tables from the 4 boxes are like below

    box a:
    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    127.0.0.1          link#5            UH          0    5448    lo0
    172.16.0.0/24      link#2            U          0    6594    le1
    172.16.0.1        link#2            UHS        0        0    lo0
    172.16.13.0/24    172.16.0.2        UGS        0      37    le1
    192.168.56.0/24    link#1            U          0        1    le0
    192.168.56.101    link#1            UHS        0        0    lo0

    box b:
    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            172.16.0.1        UGS        0    3051    le0
    127.0.0.1          link#5            UH          0      97    lo0
    172.16.0.0/24      link#1            U          0        1    le0
    172.16.0.1        08:00:27:1f:a6:cb  UHS        0    6718    le0
    172.16.0.2        link#1            UHS        0        0    lo0
    172.16.10.1        link#7            UH          0        7 ovpnc1
    172.16.10.2        link#7            UHS        0        0    lo0
    172.16.13.0/24    172.16.10.1        UGS        0      30 ovpnc1
    192.168.13.0/27    link#2            U          0    3349    le1
    192.168.13.20      link#2            UHS        0        0    lo0

    box c:
    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            172.16.13.1        UGS        0        0    le1
    127.0.0.1          link#5            UH          0    4452    lo0
    172.16.0.0/24      172.16.10.2        UGS        0      11 ovpns1
    172.16.10.1        link#7            UHS        0        0    lo0
    172.16.10.2        link#7            UH          0        7 ovpns1
    172.16.13.0/24    link#2            U          0    2804    le1
    172.16.13.3        link#2            UHS        0        0    lo0
    192.168.13.0/27    link#1            U          0    2590    le0
    192.168.13.19      link#1            UHS        0        0    lo0

    box d:
    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    0.0.0.0/8          link#2            U          0        0    le1
    127.0.0.1          link#5            UH          0    5048    lo0
    172.16.0.0/24      172.16.13.3        UGS        0        7    le0
    172.16.13.0/24    link#1            U          0    3152    le0
    172.16.13.1        link#1            UHS        0        0    lo0

    Now time for some traceroute
    from box a, tracing route to box d

    [2.0-BETA5][admin@pfSense.localdomain]/root(3): traceroute 172.16.13.1
    traceroute to 172.16.13.1 (172.16.13.1), 64 hops max, 40 byte packets
    1  172.16.0.2 (172.16.0.2)  4.019 ms  9.434 ms  4.227 ms
    2  172.16.10.1 (172.16.10.1)  20.677 ms  12.546 ms  26.545 ms
    3  * * *
    4  * * *
    ^C
    [2.0-BETA5][admin@pfSense.localdomain]/root(4): traceroute 172.16.13.3
    traceroute to 172.16.13.3 (172.16.13.3), 64 hops max, 40 byte packets
    1  172.16.0.2 (172.16.0.2)  18.063 ms  15.014 ms  3.099 ms
    2  * * *
    3  * * *
    ^C

    ping from box a
    [2.0-BETA5][admin@pfSense.localdomain]/root(5): ping 172.16.13.3
    PING 172.16.13.3 (172.16.13.3): 56 data bytes
    64 bytes from 172.16.13.3: icmp_seq=0 ttl=63 time=12.455 ms
    ^C
    –- 172.16.13.3 ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 12.455/12.455/12.455/0.000 ms
    [2.0-BETA5][admin@pfSense.localdomain]/root(6): ping 172.16.13.1
    PING 172.16.13.1 (172.16.13.1): 56 data bytes
    ^C
    –- 172.16.13.1 ping statistics ---
    4 packets transmitted, 0 packets received, 100.0% packet loss

    and a traceroute from box d to a

    [2.0-BETA5][admin@pfSense.localdomain]/root(6): traceroute 172.16.0.1
    traceroute to 172.16.0.1 (172.16.0.1), 64 hops max, 40 byte packets
    1  172.16.13.3 (172.16.13.3)  5.914 ms  4.803 ms  4.672 ms
    2  172.16.10.2 (172.16.10.2)  14.846 ms  12.389 ms  11.773 ms
    3  * * *
    4  * * *
    ^C
    [2.0-BETA5][admin@pfSense.localdomain]/root(7): traceroute 172.16.0.2
    traceroute to 172.16.0.2 (172.16.0.2), 64 hops max, 40 byte packets
    1  172.16.13.3 (172.16.13.3)  5.617 ms  7.013 ms  5.117 ms
    2  * * *
    3  * * *
    ^C

    ping from box d
    [2.0-BETA5][admin@pfSense.localdomain]/root(8): ping 172.16.0.2
    PING 172.16.0.2 (172.16.0.2): 56 data bytes
    64 bytes from 172.16.0.2: icmp_seq=0 ttl=63 time=12.179 ms
    64 bytes from 172.16.0.2: icmp_seq=1 ttl=63 time=12.879 ms
    ^C
    –- 172.16.0.2 ping statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 12.179/12.529/12.879/0.350 ms
    [2.0-BETA5][admin@pfSense.localdomain]/root(9): ping 172.16.0.1
    PING 172.16.0.1 (172.16.0.1): 56 data bytes
    ^C
    –- 172.16.0.1 ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss

    I have configured the firewalls (box b and c) on all interfaces to pass traffic from any to any, still I cannot ssh/traceroute from a to d or vice versa.

    I am not sure how much (if any) can be deduced from this tests. I am willing to run more tests if directed properly. But still cannot figure out what is going wrong in any of these boxes.

    however, I can ping box a from box c, or d from b, and it pings quite happily.

    Pointers/suggestions are highly appreciated.


Locked