Site to Site - Specific Route Failure



  • I have 3 locations and it's setup with openvpn with a 'master' server and 2 'slaves' clients.

    On the server, I have 2 wans, one being the default is a comcast business line, the secondary being a local network (172.0.0.0).

    When the remote locations are connected to the server, all routes work except those that are destined for wan2.  This is specifically for LAN clients at the remote location.  The firewall is able to tracert the route.

    For example…

    from pfsense(10.12.0.1) at a remote location:

    Traceroute output:

    1  10.0.100.1 (10.0.100.1)  22.633 ms  21.332 ms  21.835 ms
    2  * * *
    3  172.16.220.41 (172.16.220.41)  21.675 ms  25.604 ms  26.616 ms
    4  172.16.211.254 (172.16.211.254)  26.533 ms  26.575 ms  60.275 ms
    5  172.16.160.52 (172.16.160.52)  40.603 ms  26.258 ms  44.411 ms

    from the lan connected to pfsense(10.12.0.1)

    Tracing route to 172.16.160.52 over a maximum of 30 hops

    1    4 ms    <1 ms    <1 ms  10.12.0.1
      2    23 ms    20 ms    21 ms  10.0.100.1
      3    *        *        *    Request timed out.
      4    *        *        *    Request timed out.
      5    *        *        *    Request timed out.

    I'm not sure what is different from the router at the remote location and the lan from the remote location.

    Thanks!



  • its possible the traceroute on the pfsense does not really use the  10.12.0.0/x subnet … but is more likely using the 10.0.100.0/x subnet.

    
    from pfsense(10.12.0.1) at a remote location:
    
    Traceroute output:
    
     [b]1  10.0.100.1 (10.0.100.1)  22.633 ms  21.332 ms  21.835 ms[/b]
     2  * * *
     3  172.16.220.41 (172.16.220.41)  21.675 ms  25.604 ms  26.616 ms
     4  172.16.211.254 (172.16.211.254)  26.533 ms  26.575 ms  60.275 ms
     5  172.16.160.52 (172.16.160.52)  40.603 ms  26.258 ms  44.411 ms
    

    Do you have a route TO the 10.12.0.0/x subnet using ovpn-x on the 'master' server ?
    (you have to specify it in the openvpn advanced configuration and either push it from the client or set it on the master)
    Do not use the builtin static routes menu in pfsense!

    kind regards.



  • Thanks for the help!

    It has been resolved now, I needed to add outbound nat for 10.12.0.0 and 10.13.0.0 on the master, works like a charm now.  Luckily these easy fixes barely cost any time off commercial support.


Locked