Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    All traffic pfSense to Linuxbox FW

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      atanas.manoilov
      last edited by

      Hello All,
      In the office building we have main firewall based on linux fedora.
      In one of our branch offices we have pfSense.
      I have established OpenVPN connection between them but I have problem with routing the traffic correctly.
      The goal is all traffic from pfSense LAN net 192.168.13.0/24 to be routed over OpenVPN trough main Fedora firewall.

      Here is OpenVPN server config from linuxbox

      ca keys/ca.crt
      cert keys/xxxxxxxx.crt
      comp-lzo yes
      dev tun1
      dh /etc/openvpn/keys/dh1024.pem
      fast-io
      float
      crl-verify /etc/openvpn/keys/crl.pem
      keepalive 10 120
      key keys/xxxxxxx.key
      mlock
      mode server
      persist-key
      persist-tun
      port 1195
      tls-server
      local 95.95.95.91
      proto udp
      server 192.168.250.0 255.255.255.0
      status /var/log/openvpn-status-wh.log
      log-append  /var/log/openvpn-wh.log
      verb 1

      #Routes pushing to the client section

      push "route 192.168.0.0 255.255.255.0"
      push "route 192.168.252.0 255.255.255.0"
      push "route 192.168.253.0 255.255.255.0"
      push "redirect-gateway def1"
      push "dhcp-option DNS 192.168.0.5"

      When I use NAT to masquerade whole traffic from 192.168.13.0/24 to OpenVPN interface. The job is done. But I want not to use NAT, just routing.

      I have attached the topology diagram.
      10x in advance :)
      topology.jpg
      topology.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        and what is in the pfSense client OpenVPN config? Anything to tell the server end that the tunnel to the client is the route back to 192.168.13.0/24?
        perhaps you can just add that explicitly to the server:

        route 192.168.13.0 255.255.255.0
        

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • A
          atanas.manoilov
          last edited by

          In the pfSense client config there is nothing, because I push routes from server side (linuxbox) to client (pfSense),

          I posted this in my first post. This is server config:

          
          .
          .
          .
          push "route 192.168.0.0 255.255.255.0"
          push "route 192.168.252.0 255.255.255.0"
          push "route 192.168.253.0 255.255.255.0"
          push "redirect-gateway def1"
          push "dhcp-option DNS 192.168.0.5"
          
          

          In the linux config there have been created so many IP addresses for OpenVPN so I don't know which is the gateway for 192.168.0.13/24

          ifconfig tells:

          tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
                    inet addr:192.168.250.1  P-t-P:192.168.250.2  Mask:255.255.255.255

          netstat -rn tells:

          [8:12:42 PM] Atanas Manoilov HDS: [root@fw ~]# netstat -rn
          Kernel IP routing table
          Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
          192.168.250.2  0.0.0.0        255.255.255.255 UH        0 0          0 tun1
          192.168.0.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0
          192.168.250.0  192.168.250.2  255.255.255.0  UG        0 0          0 tun1
          192.168.252.0  0.0.0.0        255.255.255.0  U        0 0          0 eth2
          192.168.253.0  0.0.0.0        255.255.255.0  U        0 0          0 eth1
          0.0.0.0        x.x.x.x    0.0.0.0        UG        0 0          0 eth3

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            In you Linux end OpenVPN server config, just add:

            route 192.168.13.0 255.255.255.0
            

            That should tell it that the link is a route to 192.168.13.0/24

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • A
              atanas.manoilov
              last edited by

              10x a lot,
              it was enough for me to understand :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.