Routing Setup

  • Trying to accomplish a strange setup for testing purposes. Here is what I have

    2 pfsense boxes configured as a site to site openvpn (Shared Key UDP) on our internal network. Off of these two boxes are two differnet lans as you would expect in a normal site to site vpn setup so..–-----
    1st Lan                    OpenVpn Server Side            Client Side OpenVPN                2nd Lan

    So the VPN connection is up and looks to be functioning correctly but I'm unable to ping systems on opposite lan's. I'm sure its just a routing issue but I'm not sure how to configure the the paths since I'm brand spanking new to pfsense. I'm guessing I need to route all traffic from the 1st lan to the openvpn connection and vice a versa.

    Anyone think they can help or guide me in the right direction.

  • Did you setup a firewall rule in the OpenVPN tab?

  • On the client side or the server side. I have been trying a few different rules have had no luck.

  • can you ping the tunnel endpoints from both ends using the pfsense webgui (–----------------

    be sure to fill in the local and remote address' on each site and then check if the correct routes are formed on each site

    server side would need a route TO using as router
    client side would need a route  TO    using as router

    also common problem is people forget to disable windows firewall on the clients causing pings not to work ..... i'm just saying this incase everything is allready fine but that small detail is overlooked ;)

  • I'm not able to ping the opposite openvpn interface fro either side.

    Where would I enter the routing?

    1st Lan                    OpenVpn Server Side            Client Side OpenVPN                2nd Lan

    Looking at the tracer it doesnt look like stuff is traveling across the tunnel

    Firewall is disabled ;)

  • if you can't ping the tunnel-endpoint and the tunnelnetwork is the same on both ends …. then the tunnel is probably not UP

    check openvpn logs to find out what goes wrong

  • Jul 27 03:14:03 openvpn[10240]: Re-using pre-shared static key
    Jul 27 03:14:03 openvpn[10240]: Preserving previous TUN/TAP instance: ovpns1
    Jul 27 03:14:03 openvpn[10240]: Listening for incoming TCP connection on [AF_INET]
    Jul 27 03:14:25 openvpn[10240]: TCP connection established with [AF_INET]
    Jul 27 03:14:25 openvpn[10240]: TCPv4_SERVER link local (bound): [AF_INET]
    Jul 27 03:14:25 openvpn[10240]: TCPv4_SERVER link remote: [AF_INET]
    Jul 27 03:14:25 openvpn[10240]: Peer Connection Initiated with [AF_INET]
    Jul 27 03:14:27 openvpn[10240]: Initialization Sequence Completed

    Looks like its up.

  • Can you post what rules you put in the openVPN tab in the firewall?

  • Here is how I have things setup currently I've been playing around with different settings so I'm sure things are fudged.


    Mode Shared Key
    Protocol TCP
    device mode tun
    interface wan
    port 443
    local network
    remote network


    Mode Shared Key
    Protocol TCP
    device mode tun
    interface wan
    Server address
    port 443
    Remote Network

  • My default router is not the pfsense box Im guessing this might be part of the issue as well

  • In the VPN rule in firewalling, it will not be the WAN net. It is going to be the remote  private subnet. I would do a source any until you know the vpn config is sound.

  • @medicshelley:

    My default router is not the pfsense box Im guessing this might be part of the issue as well

    It could be, so you would need to add the route to the remote subnet in your default router to the pfsense box.

  • Could I make the default router the pfsense box for those 10.87.3/100 lans?

  • If the traffic doesn't have to go in another direction, yes.

  • I was just playing around and turned off the firewall completely once I did that I was able to ping the opposite ends of the tunnel from both sides from the webgui. I wasn't able to reach the local subs on either end. So this just has to be a routing/rules issue

  • So far that is what it sounds like … but the rule you have is not correct either .. WAN net is only the subnet that you WAN is on and not the internet.

  • also … maybe ... perhaps ... do not use port 443, possibly the pfsense webgui httpd is allready bound to it.

  • I restarted and am now able to ping across to the other sides vpn tunnel and front end of the other lan from the webgui but am unable to ping from a station on those lan's.

  • Did you change the OpenVPN firewall allow rule on both sides? Try a reboot on both sides after that. Also check your routing on the remote site to make sure that is not an issue.

  • I'm rebooting on both ends now here are my current rules on both the server and client

  • Your LAN rule is incorrect. Again WAN address or WAN subnet is not the internet nor either side of the tunnel. Change the source to be any to any on any port to start with. After you have made sure that the connection is working and the routing is correct, then you can limit your rules if you like. Just make sure that you are wary of what you are blocking and please make use of aliases to help you create rules.

  • Thanks by altering that rule I am now able to ping everything and anything on the lan side.

Log in to reply