Routing remote LAN w/pfsense as OVPN client?



  • Hello,

    Can't quite figure this one out…  I was running an older 2.1 snap, updated today to the latest to rule out any old issues.  I have both OpenVPN server and client running on my box.  The server has been working great.  The client I just setup today and I'm having trouble figuring out why the clients on the LAN behind my local pfsense cannot reach the subnet on the other end of the vpn.  I've got the route pushed and I can reach it fine from the pfsense cli:

    
    sis0 = LAN
    xl0 = Primary WAN
    dc0 = Secondary WAN
    ovpns1 = ovpn server
    ovpns2 = ovpn client
    
    [2.1-BETA0][admin@gw.xxx.com]/root(7): netstat -nr
    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            my wan1 IP       UGS         0    15963    xl0
    10.3.2.0/24        link#1             U           0    56536   sis0
    10.3.2.1           link#1             UHS         0        0    lo0
    10.3.3.0/24        10.3.3.2           UGS         0        0 ovpns1
    10.3.3.1           link#11            UHS         0        0    lo0
    10.3.3.2           link#11            UH          0        0 ovpns1
    10.77.66.0/24      10.99.99.5         UGS         0      216 ovpnc2  <<-- REMOTE LAN
    10.99.99.5         link#12            UH          0        0 ovpnc2  <<-- REMOTE OVPN GW
    10.99.99.6         link#12            UHS         0        0    lo0
    WAN1 subnet/29    link#3             U           0        0    xl0
    WAN1       link#3             UHS         0        0    lo0
    127.0.0.1          link#6             UH          0      119    lo0
    WAN2 subnet/24   link#2             U           0     7007    dc0
    WAN2    link#2             UHS         0        0    lo0
    

    And pinging the OVPN link IPs from pfsense shell:

    
    [2.1-BETA0][admin@gw.xxx.com]/root(8):  ping 10.99.99.5
    PING 10.99.99.5 (10.99.99.5): 56 data bytes
    64 bytes from 10.99.99.5: icmp_seq=0 ttl=64 time=19.943 ms
    64 bytes from 10.99.99.5: icmp_seq=1 ttl=64 time=27.085 ms
    64 bytes from 10.99.99.5: icmp_seq=2 ttl=64 time=17.750 ms
    ^C
    --- 10.99.99.5 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 17.750/21.593/27.085/3.986 ms
    [2.1-BETA0][admin@gw.xxx.com]/root(9): ping 10.99.99.6
    PING 10.99.99.6 (10.99.99.6): 56 data bytes
    64 bytes from 10.99.99.6: icmp_seq=0 ttl=64 time=0.464 ms
    64 bytes from 10.99.99.6: icmp_seq=1 ttl=64 time=0.197 ms
    ^C
    --- 10.99.99.6 ping statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.197/0.331/0.464/0.133 ms
    
    

    And pinging the remote LAN from the pfsense shell:

    
    [2.1-BETA0][admin@gw.xxx.com]/root(10): ping obox
    PING obox.bway.net (10.77.66.50): 56 data bytes
    64 bytes from 10.77.66.50: icmp_seq=0 ttl=64 time=17.947 ms
    64 bytes from 10.77.66.50: icmp_seq=1 ttl=64 time=16.552 ms
    64 bytes from 10.77.66.50: icmp_seq=2 ttl=64 time=18.384 ms
    ^C
    --- obox.xxx.net ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 16.552/17.628/18.384/0.781 ms
    
    

    But I cannot reach any of those except for 10.99.99.6 (pfsense ovpn client link IP) from my local LAN or from the shell when pinging with the LAN IP:

    
    [2.1-BETA0][admin@gw.xxx.com]/root(11): ping -S 10.3.2.1 10.99.99.5
    PING 10.99.99.5 (10.99.99.5) from 10.3.2.1: 56 data bytes
    ^C
    --- 10.99.99.5 ping statistics ---
    5 packets transmitted, 0 packets received, 100.0% packet loss
    [2.1-BETA0][admin@gw.xxx.com]/root(12): ping -S 10.3.2.1 obox
    PING obox.bway.net (10.77.66.50) from 10.3.2.1: 56 data bytes
    ^C
    --- obox.xxx.net ping statistics ---
    4 packets transmitted, 0 packets received, 100.0% packet loss
    
    

    I do have a failover WAN config, so I've tried a few things to no avail:

    -Added a rule to the LAN tab that says for destination net 10.77.66.0 to not use the floating gw but to use the system default, moved that rule above the existing rule pointing to the floating gw.
    -Added a NAT rule to disable NAT when 10.77.66.0 is the destination.

    What am I missing here?  The OVPN portion seems correct, something's just funky with routing or the firewall.  I see none of my traffic bound for 10.77.66.0 in the firewall deny logs…

    Help?


Log in to reply