All traffic pfSense to Linuxbox FW



  • Hello All,
    In the office building we have main firewall based on linux fedora.
    In one of our branch offices we have pfSense.
    I have established OpenVPN connection between them but I have problem with routing the traffic correctly.
    The goal is all traffic from pfSense LAN net 192.168.13.0/24 to be routed over OpenVPN trough main Fedora firewall.

    Here is OpenVPN server config from linuxbox

    ca keys/ca.crt
    cert keys/xxxxxxxx.crt
    comp-lzo yes
    dev tun1
    dh /etc/openvpn/keys/dh1024.pem
    fast-io
    float
    crl-verify /etc/openvpn/keys/crl.pem
    keepalive 10 120
    key keys/xxxxxxx.key
    mlock
    mode server
    persist-key
    persist-tun
    port 1195
    tls-server
    local 95.95.95.91
    proto udp
    server 192.168.250.0 255.255.255.0
    status /var/log/openvpn-status-wh.log
    log-append  /var/log/openvpn-wh.log
    verb 1

    #Routes pushing to the client section

    push "route 192.168.0.0 255.255.255.0"
    push "route 192.168.252.0 255.255.255.0"
    push "route 192.168.253.0 255.255.255.0"
    push "redirect-gateway def1"
    push "dhcp-option DNS 192.168.0.5"

    When I use NAT to masquerade whole traffic from 192.168.13.0/24 to OpenVPN interface. The job is done. But I want not to use NAT, just routing.

    I have attached the topology diagram.
    10x in advance :)



  • and what is in the pfSense client OpenVPN config? Anything to tell the server end that the tunnel to the client is the route back to 192.168.13.0/24?
    perhaps you can just add that explicitly to the server:

    route 192.168.13.0 255.255.255.0
    


  • In the pfSense client config there is nothing, because I push routes from server side (linuxbox) to client (pfSense),

    I posted this in my first post. This is server config:

    
    .
    .
    .
    push "route 192.168.0.0 255.255.255.0"
    push "route 192.168.252.0 255.255.255.0"
    push "route 192.168.253.0 255.255.255.0"
    push "redirect-gateway def1"
    push "dhcp-option DNS 192.168.0.5"
    
    

    In the linux config there have been created so many IP addresses for OpenVPN so I don't know which is the gateway for 192.168.0.13/24

    ifconfig tells:

    tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:192.168.250.1  P-t-P:192.168.250.2  Mask:255.255.255.255

    netstat -rn tells:

    [8:12:42 PM] Atanas Manoilov HDS: [root@fw ~]# netstat -rn
    Kernel IP routing table
    Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
    192.168.250.2  0.0.0.0        255.255.255.255 UH        0 0          0 tun1
    192.168.0.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0
    192.168.250.0  192.168.250.2  255.255.255.0  UG        0 0          0 tun1
    192.168.252.0  0.0.0.0        255.255.255.0  U        0 0          0 eth2
    192.168.253.0  0.0.0.0        255.255.255.0  U        0 0          0 eth1
    0.0.0.0        x.x.x.x    0.0.0.0        UG        0 0          0 eth3



  • In you Linux end OpenVPN server config, just add:

    route 192.168.13.0 255.255.255.0
    

    That should tell it that the link is a route to 192.168.13.0/24



  • 10x a lot,
    it was enough for me to understand :)


Locked