Using 2nd pfsense box for openvpn behind pfsense gw



  • Currently I have a pfsense 2.0 acting as GW.
    To offload this GW, I want to use a second pfsense box behind this one to act as openvpn server.

    On the GW:

    • wan: public ip + 2nd ip via proxy arp
    • lan: 192.168.10.254/24 + ip alias for 192.168.100.254/24

    normal lan machines are running in 192.168.10.254

    Configured second pfsense currently

    • wan: 192.168.100.253/24
    • lan 192.168.10.153 (so I can access its interface via normal lan)

    2nd public ip is 1:1 natted to the second pfsense box

    I can connect from outside via ssh on the 2nd public ip and work from there

    I need the openvpn to function on the second pfsense, reachable via the 2nd public ip.
    Currently running vpn on the first gw, and this works ok.
    When trying to connect to the open vpn server on the 2nd box, I can see the client and server trying to establish a connection, but failing on timeouts. It seems that traffic of the vpn server does not reach the client.

    Any help/pointers would be great.



  • might be an issue with nat & udp ovpn tunnels, have you tried running ovpn on tcp to see if this resolves it ?

    if not, please supply more info (server configs, traceroutes, packets captures, …)



  • You're creating routing complications doing that. In most all cases there isn't a requirement to offload such functionality and it's best left on your main firewall to avoid the routing complications inherent in the type of setup you're attempting.

    You can, by adding an appropriate static route on the box that's the default gateway of the network, and checking the option to bypass filtering for static route networks under System>Advanced. It just sounds like you don't really need to do that and are probably best served not doing so.



  • Following cmb's remark: we put the vpn on the primary pfsense box (and upgrading its hardware a bit)


Log in to reply