Routing remote LAN w/pfsense as OVPN client?
-
Hello,
Can't quite figure this one out… I was running an older 2.1 snap, updated today to the latest to rule out any old issues. I have both OpenVPN server and client running on my box. The server has been working great. The client I just setup today and I'm having trouble figuring out why the clients on the LAN behind my local pfsense cannot reach the subnet on the other end of the vpn. I've got the route pushed and I can reach it fine from the pfsense cli:
sis0 = LAN xl0 = Primary WAN dc0 = Secondary WAN ovpns1 = ovpn server ovpns2 = ovpn client [2.1-BETA0][admin@gw.xxx.com]/root(7): netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default my wan1 IP UGS 0 15963 xl0 10.3.2.0/24 link#1 U 0 56536 sis0 10.3.2.1 link#1 UHS 0 0 lo0 10.3.3.0/24 10.3.3.2 UGS 0 0 ovpns1 10.3.3.1 link#11 UHS 0 0 lo0 10.3.3.2 link#11 UH 0 0 ovpns1 10.77.66.0/24 10.99.99.5 UGS 0 216 ovpnc2 <<-- REMOTE LAN 10.99.99.5 link#12 UH 0 0 ovpnc2 <<-- REMOTE OVPN GW 10.99.99.6 link#12 UHS 0 0 lo0 WAN1 subnet/29 link#3 U 0 0 xl0 WAN1 link#3 UHS 0 0 lo0 127.0.0.1 link#6 UH 0 119 lo0 WAN2 subnet/24 link#2 U 0 7007 dc0 WAN2 link#2 UHS 0 0 lo0And pinging the OVPN link IPs from pfsense shell:
[2.1-BETA0][admin@gw.xxx.com]/root(8): ping 10.99.99.5 PING 10.99.99.5 (10.99.99.5): 56 data bytes 64 bytes from 10.99.99.5: icmp_seq=0 ttl=64 time=19.943 ms 64 bytes from 10.99.99.5: icmp_seq=1 ttl=64 time=27.085 ms 64 bytes from 10.99.99.5: icmp_seq=2 ttl=64 time=17.750 ms ^C --- 10.99.99.5 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 17.750/21.593/27.085/3.986 ms [2.1-BETA0][admin@gw.xxx.com]/root(9): ping 10.99.99.6 PING 10.99.99.6 (10.99.99.6): 56 data bytes 64 bytes from 10.99.99.6: icmp_seq=0 ttl=64 time=0.464 ms 64 bytes from 10.99.99.6: icmp_seq=1 ttl=64 time=0.197 ms ^C --- 10.99.99.6 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.197/0.331/0.464/0.133 msAnd pinging the remote LAN from the pfsense shell:
[2.1-BETA0][admin@gw.xxx.com]/root(10): ping obox PING obox.bway.net (10.77.66.50): 56 data bytes 64 bytes from 10.77.66.50: icmp_seq=0 ttl=64 time=17.947 ms 64 bytes from 10.77.66.50: icmp_seq=1 ttl=64 time=16.552 ms 64 bytes from 10.77.66.50: icmp_seq=2 ttl=64 time=18.384 ms ^C --- obox.xxx.net ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 16.552/17.628/18.384/0.781 msBut I cannot reach any of those except for 10.99.99.6 (pfsense ovpn client link IP) from my local LAN or from the shell when pinging with the LAN IP:
[2.1-BETA0][admin@gw.xxx.com]/root(11): ping -S 10.3.2.1 10.99.99.5 PING 10.99.99.5 (10.99.99.5) from 10.3.2.1: 56 data bytes ^C --- 10.99.99.5 ping statistics --- 5 packets transmitted, 0 packets received, 100.0% packet loss [2.1-BETA0][admin@gw.xxx.com]/root(12): ping -S 10.3.2.1 obox PING obox.bway.net (10.77.66.50) from 10.3.2.1: 56 data bytes ^C --- obox.xxx.net ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet lossI do have a failover WAN config, so I've tried a few things to no avail:
-Added a rule to the LAN tab that says for destination net 10.77.66.0 to not use the floating gw but to use the system default, moved that rule above the existing rule pointing to the floating gw.
-Added a NAT rule to disable NAT when 10.77.66.0 is the destination.What am I missing here? The OVPN portion seems correct, something's just funky with routing or the firewall. I see none of my traffic bound for 10.77.66.0 in the firewall deny logs…
Help?