[SOLVED] OpenVPN site-to-site and Gateway Groups routing problem



  • SOLVED.

    On Office 1 add a rule BEFORE any failover rules:

    • LAN net * 192.168.130.0/24 * * none   Routing to vpn tunnel

    But maybe OpenVPN can add the rule automatically or warn user to add it. Or create alias for OpenVPN networks to make configuration easier?

    –----------------------------------------------------

    I have a problem with OpenVPN routing.

    From Office 2 (192.168.130.0/24) I have full access to 192.168.28.0/24 and traceroute from windows workstation is OK:

    1    <1 ms    <1 ms    <1 ms  pfsense-office.xx.local [192.168.130.254]
    2     3 ms     3 ms     3 ms  10.215.215.1
    3     3 ms     2 ms     3 ms  SERVER1 [192.168.28.5]

    From Office 1 (192.168.28.0/24) I can ping and traceroute from firewall, but not from workstations. On the workstations route is wrong, it goes to internet, not to 10.215.215.0/24. If I change rule on LAN to go to default gateway tunnel and internet is working, but how to use failover gateweay groups then in combination with my OpenVPN tunnel? This works for years in pfSense 1.2.x, now I miss something?

    Here is my configuration:

    Rules on OpenVPN for Office 1 and Office 2:

              • none   Office VPN pass all

    Rules on LAN for Office 1:

    • LAN net * * * Wan2ToWan1 none   Failover rule  
      Rules on LAN for Office 2
    • LAN net * * * * none   Default allow LAN to any rule

    –--------
    Office 1
    LAN: 192.168.28.0/24
    WAN1: 11.11.11.11
    WAN2: 22.22.22.22

    OpenVPN Server:
    Server Mode: Peer to Peer (Shared key)
    Protocol: UDP
    Interface: Any
    Tunnel Network: 10.215.215.0/24
    Local Network: 192.168.28.0/24 (do I need this?)
    Remote Network: 192.168.130.0/24


    Office 2
    LAN: 192.168.130.0/24
    WAN: 22.22.22.22

    OpenVPN Client:
    Server Mode: eer to Peer (Shared Key)
    Protocol: UDP
    Device mode: tun
    Interface: any
    Server host or address: 11.11.11.11
    Tunnel Network: 10.215.215.0/24
    Remote Network: 192.168.28.0/24


Locked