Slightly strange setup :: help/pointers appreciated

shamims

Hello all

I have earlier posted it in the IPSec forum, as I was trying to achieve the goals via IPSec. I have failed so far. Reading other posts in this forum I felt that OpenVPN might be a better choice for what I want. Below is a diagram of what I am trying to do.

the connection diagram would look like this

x.y.z.69
|
|a1
–----------------
| pfSense box 1 |
------------------
|a2 | 192.168.3.1
|
private network |
192.168.3.0/24 __|
|
|
| b1 | 192.168.3.2
------------------
| pfSense box 2 |
------------------
|b2 | 10.0.0.1
private network |
10.0.0.0/24 ___|

In simple terms, I need all traffic from 10.0.0.0 network to end up via a secured tunnel in the realIP land, with a NAT to the external world. people on 192 network should not be able to read packets verbatim from 10 network, neither the 10 network should be reading anything on the 192 network (the two network must remain isolated always).

However, there are two hosts in the 10 network that will need to be accessed by 192 network people, which i believe can be achived via 1:1 mapping.

What I tried to do for testing is like below

I have set up four virtual machines for testing, the diagram now goes like this

--------- 172.16.0.1 172.16.0.2 --------- 192.168.13.20
-----------| box a |---------------------------------| box b |---------|OPT1 10.2
--------- a1 b1 -------- b2 |
| OpenVPN tunnel
| using 172.16.10.0/27
--------- d1 c2 --------- c1 |
-----------| box d |---------------------------------| box c |---------| OPT1 10.1
--------- 172.16.13.1 172.16.13.3 -------- 192.168.13.19

FYI, box a has a1 LAN
box b has b1 wan, b2 lan
box c has c1 lan, c2 wan
box d has d1 lan

The tunnel is up, and the routing tables from the 4 boxes are like below

box a:
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
127.0.0.1 link#5 UH 0 5448 lo0
172.16.0.0/24 link#2 U 0 6594 le1
172.16.0.1 link#2 UHS 0 0 lo0
172.16.13.0/24 172.16.0.2 UGS 0 37 le1
192.168.56.0/24 link#1 U 0 1 le0
192.168.56.101 link#1 UHS 0 0 lo0

box b:
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 172.16.0.1 UGS 0 3051 le0
127.0.0.1 link#5 UH 0 97 lo0
172.16.0.0/24 link#1 U 0 1 le0
172.16.0.1 08:00:27:1f:a6:cb UHS 0 6718 le0
172.16.0.2 link#1 UHS 0 0 lo0
172.16.10.1 link#7 UH 0 7 ovpnc1
172.16.10.2 link#7 UHS 0 0 lo0
172.16.13.0/24 172.16.10.1 UGS 0 30 ovpnc1
192.168.13.0/27 link#2 U 0 3349 le1
192.168.13.20 link#2 UHS 0 0 lo0

box c:
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 172.16.13.1 UGS 0 0 le1
127.0.0.1 link#5 UH 0 4452 lo0
172.16.0.0/24 172.16.10.2 UGS 0 11 ovpns1
172.16.10.1 link#7 UHS 0 0 lo0
172.16.10.2 link#7 UH 0 7 ovpns1
172.16.13.0/24 link#2 U 0 2804 le1
172.16.13.3 link#2 UHS 0 0 lo0
192.168.13.0/27 link#1 U 0 2590 le0
192.168.13.19 link#1 UHS 0 0 lo0

box d:
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
0.0.0.0/8 link#2 U 0 0 le1
127.0.0.1 link#5 UH 0 5048 lo0
172.16.0.0/24 172.16.13.3 UGS 0 7 le0
172.16.13.0/24 link#1 U 0 3152 le0
172.16.13.1 link#1 UHS 0 0 lo0

Now time for some traceroute
from box a, tracing route to box d

[2.0-BETA5][admin@pfSense.localdomain]/root(3): traceroute 172.16.13.1
traceroute to 172.16.13.1 (172.16.13.1), 64 hops max, 40 byte packets
1 172.16.0.2 (172.16.0.2) 4.019 ms 9.434 ms 4.227 ms
2 172.16.10.1 (172.16.10.1) 20.677 ms 12.546 ms 26.545 ms
3 * * *
4 * * *
^C
[2.0-BETA5][admin@pfSense.localdomain]/root(4): traceroute 172.16.13.3
traceroute to 172.16.13.3 (172.16.13.3), 64 hops max, 40 byte packets
1 172.16.0.2 (172.16.0.2) 18.063 ms 15.014 ms 3.099 ms
2 * * *
3 * * *
^C

ping from box a
[2.0-BETA5][admin@pfSense.localdomain]/root(5): ping 172.16.13.3
PING 172.16.13.3 (172.16.13.3): 56 data bytes
64 bytes from 172.16.13.3: icmp_seq=0 ttl=63 time=12.455 ms
^C
–- 172.16.13.3 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.455/12.455/12.455/0.000 ms
[2.0-BETA5][admin@pfSense.localdomain]/root(6): ping 172.16.13.1
PING 172.16.13.1 (172.16.13.1): 56 data bytes
^C
–- 172.16.13.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

and a traceroute from box d to a

[2.0-BETA5][admin@pfSense.localdomain]/root(6): traceroute 172.16.0.1
traceroute to 172.16.0.1 (172.16.0.1), 64 hops max, 40 byte packets
1 172.16.13.3 (172.16.13.3) 5.914 ms 4.803 ms 4.672 ms
2 172.16.10.2 (172.16.10.2) 14.846 ms 12.389 ms 11.773 ms
3 * * *
4 * * *
^C
[2.0-BETA5][admin@pfSense.localdomain]/root(7): traceroute 172.16.0.2
traceroute to 172.16.0.2 (172.16.0.2), 64 hops max, 40 byte packets
1 172.16.13.3 (172.16.13.3) 5.617 ms 7.013 ms 5.117 ms
2 * * *
3 * * *
^C

ping from box d
[2.0-BETA5][admin@pfSense.localdomain]/root(8): ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2): 56 data bytes
64 bytes from 172.16.0.2: icmp_seq=0 ttl=63 time=12.179 ms
64 bytes from 172.16.0.2: icmp_seq=1 ttl=63 time=12.879 ms
^C
–- 172.16.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.179/12.529/12.879/0.350 ms
[2.0-BETA5][admin@pfSense.localdomain]/root(9): ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1): 56 data bytes
^C
–- 172.16.0.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

I have configured the firewalls (box b and c) on all interfaces to pass traffic from any to any, still I cannot ssh/traceroute from a to d or vice versa.

I am not sure how much (if any) can be deduced from this tests. I am willing to run more tests if directed properly. But still cannot figure out what is going wrong in any of these boxes.

however, I can ping box a from box c, or d from b, and it pings quite happily.

Pointers/suggestions are highly appreciated.