Routing Setup

medicshelley

Trying to accomplish a strange setup for testing purposes. Here is what I have

2 pfsense boxes configured as a site to site openvpn (Shared Key UDP) on our internal network. Off of these two boxes are two differnet lans as you would expect in a normal site to site vpn setup so..

10.87.3.0/24–-----10.87.2.1/24------------------10.87.2.2/24------------------10.87.100.0/24
1st Lan                    OpenVpn Server Side            Client Side OpenVPN                2nd Lan

So the VPN connection is up and looks to be functioning correctly but I'm unable to ping systems on opposite lan's. I'm sure its just a routing issue but I'm not sure how to configure the the paths since I'm brand spanking new to pfsense. I'm guessing I need to route all traffic from the 1st lan to the openvpn connection and vice a versa.

Anyone think they can help or guide me in the right direction.

podilarius

Did you setup a firewall rule in the OpenVPN tab?

medicshelley

On the client side or the server side. I have been trying a few different rules have had no luck.

heper

can you ping the tunnel endpoints from both ends using the pfsense webgui (10.87.2.1/24–----------------10.87.2.2/24)

be sure to fill in the local and remote address' on each site and then check if the correct routes are formed on each site

server side would need a route TO 10.87.100.0/24 using 10.87.2.2 as router
client side would need a route  TO 10.87.3.0/24    using 10.87.2.1 as router

also common problem is people forget to disable windows firewall on the clients causing pings not to work ..... i'm just saying this incase everything is allready fine but that small detail is overlooked ;)

medicshelley

I'm not able to ping the opposite openvpn interface fro either side.

Where would I enter the routing?

WAN 10.3.1.145–------Wan 10.4.1.125
                                        /                                     
                                      /                                       
10.87.3.0/24-------10.87.2.1/24------------------10.87.2.2/24------------------10.87.100.0/24
1st Lan                    OpenVpn Server Side            Client Side OpenVPN                2nd Lan

Looking at the tracer it doesnt look like stuff is traveling across the tunnel

Firewall is disabled ;)

heper

if you can't ping the tunnel-endpoint and the tunnelnetwork is the same on both ends …. then the tunnel is probably not UP

check openvpn logs to find out what goes wrong

medicshelley

Jul 27 03:14:03 openvpn[10240]: Re-using pre-shared static key
Jul 27 03:14:03 openvpn[10240]: Preserving previous TUN/TAP instance: ovpns1
Jul 27 03:14:03 openvpn[10240]: Listening for incoming TCP connection on [AF_INET]10.3.1.145:443
Jul 27 03:14:25 openvpn[10240]: TCP connection established with [AF_INET]10.4.1.125:22000
Jul 27 03:14:25 openvpn[10240]: TCPv4_SERVER link local (bound): [AF_INET]10.3.1.145:443
Jul 27 03:14:25 openvpn[10240]: TCPv4_SERVER link remote: [AF_INET]10.4.1.125:22000
Jul 27 03:14:25 openvpn[10240]: Peer Connection Initiated with [AF_INET]10.4.1.125:22000
Jul 27 03:14:27 openvpn[10240]: Initialization Sequence Completed

Looks like its up.

podilarius

Can you post what rules you put in the openVPN tab in the firewall?

medicshelley

Here is how I have things setup currently I've been playing around with different settings so I'm sure things are fudged.

Server

Mode Shared Key
Protocol TCP
device mode tun
interface wan
port 443
tunnel 10.87.2.0/24
local network 10.87.3.0/24
remote network 10.87.100.0/24

Client

Mode Shared Key
Protocol TCP
device mode tun
interface wan
Server address 10.3.1.145
port 443
Tunnel 10.87.2.0/24
Remote Network  10.87.3.0/24

medicshelley

My default router is not the pfsense box Im guessing this might be part of the issue as well

podilarius

In the VPN rule in firewalling, it will not be the WAN net. It is going to be the remote  private subnet. I would do a source any until you know the vpn config is sound.

podilarius

@medicshelley:

My default router is not the pfsense box Im guessing this might be part of the issue as well

It could be, so you would need to add the route to the remote subnet in your default router to the pfsense box.

medicshelley

Could I make the default router the pfsense box for those 10.87.3/100 lans?

podilarius

If the traffic doesn't have to go in another direction, yes.

medicshelley

I was just playing around and turned off the firewall completely once I did that I was able to ping the opposite ends of the tunnel from both sides from the webgui. I wasn't able to reach the local subs on either end. So this just has to be a routing/rules issue

podilarius

So far that is what it sounds like … but the rule you have is not correct either .. WAN net is only the subnet that you WAN is on and not the internet.

heper

also … maybe ... perhaps ... do not use port 443, possibly the pfsense webgui httpd is allready bound to it.

medicshelley

I restarted and am now able to ping across to the other sides vpn tunnel and front end of the other lan from the webgui but am unable to ping from a station on those lan's.

podilarius

Did you change the OpenVPN firewall allow rule on both sides? Try a reboot on both sides after that. Also check your routing on the remote site to make sure that is not an issue.

medicshelley

I'm rebooting on both ends now here are my current rules on both the server and client