Site to Site - Specific Route Failure
-
I have 3 locations and it's setup with openvpn with a 'master' server and 2 'slaves' clients.
On the server, I have 2 wans, one being the default is a comcast business line, the secondary being a local network (172.0.0.0).
When the remote locations are connected to the server, all routes work except those that are destined for wan2. This is specifically for LAN clients at the remote location. The firewall is able to tracert the route.
For example…
from pfsense(10.12.0.1) at a remote location:
Traceroute output:
1 10.0.100.1 (10.0.100.1) 22.633 ms 21.332 ms 21.835 ms
2 * * *
3 172.16.220.41 (172.16.220.41) 21.675 ms 25.604 ms 26.616 ms
4 172.16.211.254 (172.16.211.254) 26.533 ms 26.575 ms 60.275 ms
5 172.16.160.52 (172.16.160.52) 40.603 ms 26.258 ms 44.411 msfrom the lan connected to pfsense(10.12.0.1)
Tracing route to 172.16.160.52 over a maximum of 30 hops
1 4 ms <1 ms <1 ms 10.12.0.1
2 23 ms 20 ms 21 ms 10.0.100.1
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.I'm not sure what is different from the router at the remote location and the lan from the remote location.
Thanks!
-
its possible the traceroute on the pfsense does not really use the 10.12.0.0/x subnet … but is more likely using the 10.0.100.0/x subnet.
from pfsense(10.12.0.1) at a remote location: Traceroute output: [b]1 10.0.100.1 (10.0.100.1) 22.633 ms 21.332 ms 21.835 ms[/b] 2 * * * 3 172.16.220.41 (172.16.220.41) 21.675 ms 25.604 ms 26.616 ms 4 172.16.211.254 (172.16.211.254) 26.533 ms 26.575 ms 60.275 ms 5 172.16.160.52 (172.16.160.52) 40.603 ms 26.258 ms 44.411 msDo you have a route TO the 10.12.0.0/x subnet using ovpn-x on the 'master' server ?
(you have to specify it in the openvpn advanced configuration and either push it from the client or set it on the master)
Do not use the builtin static routes menu in pfsense!kind regards.
-
Thanks for the help!
It has been resolved now, I needed to add outbound nat for 10.12.0.0 and 10.13.0.0 on the master, works like a charm now. Luckily these easy fixes barely cost any time off commercial support.