All traffic pfSense to Linuxbox FW

atanas.manoilov

Hello All,
In the office building we have main firewall based on linux fedora.
In one of our branch offices we have pfSense.
I have established OpenVPN connection between them but I have problem with routing the traffic correctly.
The goal is all traffic from pfSense LAN net 192.168.13.0/24 to be routed over OpenVPN trough main Fedora firewall.

Here is OpenVPN server config from linuxbox

ca keys/ca.crt
cert keys/xxxxxxxx.crt
comp-lzo yes
dev tun1
dh /etc/openvpn/keys/dh1024.pem
fast-io
float
crl-verify /etc/openvpn/keys/crl.pem
keepalive 10 120
key keys/xxxxxxx.key
mlock
mode server
persist-key
persist-tun
port 1195
tls-server
local 95.95.95.91
proto udp
server 192.168.250.0 255.255.255.0
status /var/log/openvpn-status-wh.log
log-append  /var/log/openvpn-wh.log
verb 1

#Routes pushing to the client section

push "route 192.168.0.0 255.255.255.0"
push "route 192.168.252.0 255.255.255.0"
push "route 192.168.253.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.5"

When I use NAT to masquerade whole traffic from 192.168.13.0/24 to OpenVPN interface. The job is done. But I want not to use NAT, just routing.

I have attached the topology diagram.
10x in advance :)

phil.davis

and what is in the pfSense client OpenVPN config? Anything to tell the server end that the tunnel to the client is the route back to 192.168.13.0/24?
perhaps you can just add that explicitly to the server:

route 192.168.13.0 255.255.255.0

atanas.manoilov

In the pfSense client config there is nothing, because I push routes from server side (linuxbox) to client (pfSense),

I posted this in my first post. This is server config:

.
.
.
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.252.0 255.255.255.0"
push "route 192.168.253.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.5"

In the linux config there have been created so many IP addresses for OpenVPN so I don't know which is the gateway for 192.168.0.13/24

ifconfig tells:

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.250.1  P-t-P:192.168.250.2  Mask:255.255.255.255

netstat -rn tells:

[8:12:42 PM] Atanas Manoilov HDS: [root@fw ~]# netstat -rn
Kernel IP routing table
Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
192.168.250.2  0.0.0.0        255.255.255.255 UH        0 0          0 tun1
192.168.0.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0
192.168.250.0  192.168.250.2  255.255.255.0  UG        0 0          0 tun1
192.168.252.0  0.0.0.0        255.255.255.0  U        0 0          0 eth2
192.168.253.0  0.0.0.0        255.255.255.0  U        0 0          0 eth1
0.0.0.0        x.x.x.x    0.0.0.0        UG        0 0          0 eth3

phil.davis

In you Linux end OpenVPN server config, just add:

route 192.168.13.0 255.255.255.0

That should tell it that the link is a route to 192.168.13.0/24

atanas.manoilov

10x a lot,
it was enough for me to understand :)