OpenVpn Dual Lan Issue



  • Hi

    Ok so I have our HQ site running currently 5 Site to Site VPN's are they work exactly as I want them to.
    I will explain how the network works before explaining my issue with the newly introduced site.

    We run a Mitel phone system at each site and they need to communicate to HQ on the Voice Lan.

    @HQ
    We have a Data Lan 10.4.1.0/24
    We have a Voice Lan 10.4.11.0/24

    @external site (1 of 5)
    Single Subnet 10.8.1.0/24 (Voice and Data, Mitel system talks over 10.4.11.0/24)

    So a standard way of setting up Pfsense 1.2.2 which has been working great is.

    HQ 10.4.1.0/24 –--> 192.178.2.0/24(VPN) ----------- EXTERNAL SITE 10.8.1.0/24
    This gives access to the data lan at HQ but not the voice.
    I had previously without issue created a static route on the Client
    Interface:LAN
    Destination Netowork:10.4.11.0/24
    Gateway: 192.178.2.1 (VPN Gateway)

    This would allow the single subnet at the remote site to communicate to both Lan's at HQ.

    I now have a new site, I have recently upgraded HQ to 1.2.3 but not the other remote sites are still on 1.2.2

    The new remote site is on 1.2.3 and I have configured it in the same manor as above
    However I can not get it to route anything over the voice network and the firewall log (client side) shows the routes being blocked, when I create a rule in the firewall to allow this access and log it, it shows Green as a pass however there is still no traffic talking. Plus ive never setup and client firewall rules for a VPN previously, for obvious reasons.

    I dont really mind going back to 1.2.2, that is if its really the issue. Ive double checked everything and made sure the modem is in bridge mode etc there is nothing differing between the sites except the pfsense version.

    Any Ideas?



  • I have rebuilt the machine as a 1.2.2 box and still getting the same issue.

    Could someone please help? remember this is working at 5 sites already…



  • Has nothing to do with versions. You really don't want to use static routes with OpenVPN, define the routes within the client connection instead, as remote network plus custom option "route 10.4.1.0 255.255.255.0" and similar where additional routes are needed. Should be effectively the same but eliminates any possible issues should IPs change or you get the gateway IP wrong.

    If that doesn't change anything, get packet captures along the way. Make sure it's hitting LAN on the remote end, and leaving the appropriate interface on the main end. See where it shows up and doesn't, and troubleshoot from there.



  • I have done the Static routes for all the other sites without issue.
    however I even tried using route in custom options and the route table was correct but it was still failing..

    I did figure out the issue though.
    Realtek network card, after days and days of configuring,testing and going crazy I decided to try a broadcom card and its all working…

    Normally building pfsense in virtual machines so I overlooked the hardware issue.



  • huh, it's probably one of the ones with broken hardware checksum offloading under some circumstances, disabling that under System>Advanced would possibly resolve, but you're vastly better off with the Broadcom NIC anyway.  ;D


Log in to reply