Communicate across different Gateways



  • Greetings,

    I'm new to these forums and have been working with pfsense real hard for the last 4 months. I have setup openvpn and it works greats. I can ping by IP and I've setup DNS passthrough which works. On my network I have a 2nd T1 connection that takes us to our main state HQ. The router is a Cisco and I have no control over it. It is necessary to have that router and connection because we access state applications over the T1.

    My idea was to create the openvpn to VPN into my LAN, and then with static routing, push traffic over the 2nd router to access the apps. However, I cannot get my openvpn client to talk to the other gateway or any machines using that gateway. Both gateways or on a /25 network. I have attached a somewhat crude drawing of the idea.

    Any help would be much appreciated. :D



  • You can use push route statements in the OpenVPN server on pfSense x.x.x.253/25 to tell the OpenVPN client about any networks that are reachable through the Cisco at x.x.x.129/25. You can add routes on the pfSense to those networks, through x.x.x.129/25. That will get the packets routed to their destination.
    If you have no access to changing the Cisco, then the following will be difficult:
    a) Telling the Cisco that it has route to 10.2.3.0/24 through pfSense x.x.x.253/25
    b) Getting the Cisco to let packets through to/from 10.2.3.0/25 (if it is filtering stuff, and only allowing things with a source/destination of x.x.x.128/25 on/off your LAN)
    c) Telling any other routers behind the Cisco (at main state HQ), that the T1 link is a route to 10.2.3.0/25.



  • Thanks for the reply.

    I have the following in my advance settings now…. push "route 10.2.3.0 255.255.255.0"; Would then encompass what you're stating as far as things that I can configure?



  • You need to push to the clients a route to "needed applications" - e.g. if main state HQ is 10.20.0.0/16 then on the server advanced:
    push "route 10.20.0.0 255.255.0.0"
    then the clients will know that the OpenVPN is the way to 10.20.0.0/16



  • I have pushed a route to our internal gateway that takes us to these applications. However, I still cannot ping that gateway or ping the server in our LAN that uses that gateway by default.



  • I am surprised that you cannot ping a server on your x.x.x.1218/25 LAN from the OpenVPN client. That should all be just based on pfSense - except that it would depend on the server having pfSense as its gateway, so that it knows how to return the ping reply to the OpenVPN client.
    The Cisco at x.x.x.129/25 is going to need to know a route to your OpenVPN clients, otherwise it cannot send back the ping response. In a business environment, you are going to need to get the cooperation of those managing this network infrastructure so that they are aware that an OpenVPN server subnet is available at your site, and then they can route to/from it as part of the corporate intranet.
    Otherwise you have to think about using NAT from the OpenVPN onto your LAN x.x.x.128/25 so that the OpenVPN client traffic looks like it comes from the pfSense on your LAN. Then the rest of the intranet will know how to route back to it. I have never tried setting up anything like that.



  • I'm not sure how to go about natting the entire VPN network. I see different options in the outbound nat rule created for OPENVPN. Should I start there?



  • I have no experience in making an OpenVPN connection be NAt'd on arriving into the local LAN. Someone who has some idea (or can say why it is not possible), please feel free to advise!


Locked