Routing two/multiple subnets through tunnel



  • pfsense 1.2.3-RELEASE

    – NICs
    WAN 1.2.3.4
    LAN 172.18.128.1/24
    LAN_164 192.168.164.249/24

    -- tunnel
    Address pool 172.18.251.0/24
    Local network 172.18.128.0.24

    I have successfully configured OpenVPN for remote client access.
    Remote access to LAN works for all IPs.

    Following that, I wanted to add remote access to LAN_164 IP's. So
    I added 'push "route 192.168.164.0 255.255.255.0"' to the global
    config. Here is the remote routes:

    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    172.18.251.5    0.0.0.0 255.255.255.255         UH      0       0       0       tun0
    172.18.251.1    172.18.251.5    255.255.255.255 UGH     0       0       0       tun0
    172.18.128.0    172.18.251.5    255.255.255.0   UG      0       0       0       tun0
    192.168.164.0   172.18.251.5    255.255.255.0   UG      0       0       0       tun0
    192.168.1.0     0.0.0.0         255.255.255.0   U       0       0       0       eth0
    169.254.0.0     0.0.0.0         255.255.0.0     U       0       0       0       eth0
    0.0.0.0         192.168.1.1     0.0.0.0         UG      0       0       0       eth0

    However, on the remote I still cannot ping any of the IPs on LAN_164.

    On the server/lan side I can access LAN_164 from LAN without trouble. Here are the
    (relevant) routes on the server:

    Destination        Gateway            Flags    Refs      Use  Netif Expire
    172.18.128.0/24    link#4             UC          0        0    em1
    172.18.251.0/24    172.18.251.2       UGS         0        0   tun0
    172.18.251.2       172.18.251.1       UH          1        0   tun0
    192.168.164.0/24   link#2             UC          0        0   fxp1

    I am clearly missing something. Any input would be appreciated. If I have been too brief
    in detail, please let me know.



  • Is this a private shared key tunnel?

    If yes: You cannot use pushes with such a setup.
    You need to add normal routes to the config on the server and the client
    (eg. route 192.168.164.0 255.255.255.0)



  • The tunnel Auth method is PKI.



  • Do the devices in the 164 range have a default gateway other than the pfSense?
    Do you have the OpenVPN instance assigned as interface?
    If yes, might you have a rule not allowing access?

    The same on the remote side: Might you have a rule not allowing access?
    Do you see anything in the firewall log?


Locked