Routing and Ping issue



  • Dear Forum,

    I have a couple of problems and I am hoping that I perhaps overlooked something.  The following diagram details my present configuration.

    Hosts A, B, and C are now running pfSense 2.0.1-RELEASE (i386).
    Hosts D and E are running some version of the DD-WRT firmware that have clients for both pptp and OpenVPN networks.

    The Win7 computer is my main workstation.  I am presently using Host D to obtain connectivity to network 10.224.34.0/24 via pptp with Host B as the server.  This functionality does not seem possible with pfSense as Host D, but I want to get rid of pptp all together in either case.
    When I enabled the OpenVPN Server on Host B in either Remote Access (SSL/TLS) or Peer to Peer (SSL/TLS) mode; I cannot route traffic from the 10.111.79.0/24 onto 10.224.34.0/24.  For example, if I jump onto the Slack ware machine (10.111.79.64), I cannot ping Node100 (10.224.34.100).  On a site to site setup I am not able to ping from either machine to the other.  After much reading and exhaustive amount of Google searching, I found someone with a similar problem.  There is OpenVPN connectivity and one can ping from within the pfSense hosts onto each other’s tunnel end point IP, but pinging behind from the clients onto other clients on the remote network is impossible.  I e-mailed the individual and his response was that he had these issues because he was running IPsec and OpenVPN on the same host.  This gave me a clue as Host B is running a PPTP server.  So for the time being, I have decided not to use Host B for anything other than PPTP.  I would like to use Host B with just OpenVPN but I have to wait until I am certain I can migrate other networks not shown in my diagram to this infrastructure.

    For now, I have decided to use Host A as an OpenVPN Server as well.  Here is where my present problems begin.

    1.)   I cannot seem to figure out how to configure Host C as an OpenVPN Client to Host A and route traffic onto the 10.224.34.0/24 network for all gateway client devices of Host C.  I do not want to set this up as a site-to-site vpn.  This approach did work, but this is sort of a template for others who will be using the same approach and I do not want routes to their networks nor should I need to know anything about their local IP addressing scheme.  Incidentally, when I did have it working with a the site to site pki vpn, I was not able to ping 10.224.34.254

    2.) I was able to implement this feature for Hosts D and E with one minor problem.  Again I can connect to the 10.224.34.0/24 network, but I cannot ping host 10.224.34.254.  I am not certain as to why.  If I change the vpn type to a pptp on Host D or E, then everything works as expected.  If I ssh onto Node100, I am then able to ping and even ssh into 10.224.34.254.

    Using the CONFERENCEPC 10.224.33.55, I am able to ping and perform traceroutes to 10.224.34.1, 10.224.34.100 but not 10.224.34.254.

    C:\Windows\system32>TRACERT.EXE 10.224.34.1
    
    Tracing route to 10.224.34.1 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  CEARCONFERENCE [10.224.33.1]
      2     2 ms     1 ms     1 ms  10.224.34.1
    
    C:\Windows\system32>TRACERT.EXE 10.224.34.100
    
    Tracing route to 10.224.34.100 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  CEARCONFERENCE [10.224.33.1]
      2     2 ms     1 ms     1 ms  172.16.32.1
      3     2 ms     1 ms     1 ms  10.224.34.100
    
    C:\Windows\system32>TRACERT.EXE 10.224.34.254
    
    Tracing route to 10.224.34.254 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  CEARCONFERENCE [10.224.33.1]
      2     2 ms     1 ms     1 ms  172.16.32.1
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.
      5     *        *        *     Request timed out.
      6     *        *     ^C
    
    

    3.)   Finally, I do have one question and please forgive my ignorance on this, but what are the advantages of adding user authentication along with PKI?

    Regards,

    Adan

    HOST A Firewall Rules


    HOST A OpenVPN Server Config

    HOST B Firewall Rules


    HOST C Firewall Rules


    HOST C OpenVPN Client Config

    HOST D OpenVPN Client Config



  • I have solved one issue.  To get Host C to route 10.224.34.0/24 over OpenVPN for the 10.111.79.0/24 network I had to go to make changes in the outbound tab (Firewall->NAT->Outbound).  I changed it to manual and added an OpenVPN rule.

    However the issue were I can not pint 10.224.34.254 from the 10.111.79.0/24 network remains.  I believe this is probably due to some pfsense setting on that particular box.  Although I am not sure what else to move since I have already removed  "Block private networks" (Interfaces->WAN).

    Another issue that has since developed, is that I am sometimes able to ping and sometimes not if I turn on an OpenVPN Server on HOST C.

    For Instance if I am on any of the the computers on 10.111.79.0/24 , I can ping 10.224.34.2, 10.224.34.100, 10.224.34.107, and 10.224.34.109.

    If I then go to (VPN->OpenVPN-Server) and I enable the server. I will sometimes lose pings to some of the 10.224.34.0/24 IPs , but it's not permanent.  Randomly, they some times work.  If I keep trying to ping them at different times some IPs will reply.  During this setup however I can still SSH into any of those machines.  Which means OpenVPN is still sort of working.  There is nothing special about my server config, I did use a different tunnel network, Diffrent CA and certificates.  This is my personal office network that I would sometimes like to access when I am somewhere else.





Locked