Routing Problem with OpenVPN



  • Hi guys

    I need help for access network 172.30.100.0/24 from my client office network 192.168.2.0/24 with openVPN to main company!

    Company GW PFSense 2.0.1 load balanced/failover Lan IP:192.168.1.10
    Router Lan IP: 192.168.1.5 nat to 172.30.100.0/24
    Client office GW PFSense 2.0.1 load balanced/failover Lan IP: 192.168.2.10
    OpenVPN Site-to-Site 10.0.0.0/30

    I put in additional settings OpenVPN command "push route" and "route 172.30.100.0 255.255.255.0". But I can only conclude a traceroute from pfsense to pfsense. Through the network of my client packet is sent to the wan interface.

    The image below shows my network structure.

    Sorry my english.

    Thanks



  • On client pfSense 192.168.2.10 OpenVPN Peer-to-Peer server Advanced you can directly put:

    route 172.30.100.0 255.255.255.0
    

    Or from the server end 192.168.1.10 you can push the route to the client:

    push "route 172.30.100.0 255.255.255.0"
    

    Either is good.
    Then pfSense 192.168.1.10 will need a static route that says 172.30.100.0/24 is reached through 192.168.1.5
    Router Serpro at 192.168.1.5, if its default gateway is not already pfSense 192.168.1.10, will need to be told a static route that says 192.168.2.0/24 is reached through 192.168.1.10

    In this sort of setup with no routing protocol (OSPF etc) running, you need to look at each router and think about how will it know how to reach other networks that are not locally connected. Then find a way of telling it the routes - either "route" statements in the advanced box of OpenVPN, a static rouet in pfSense, or adding a route in some other router software box.



  • @phil.davis:

    On client pfSense 192.168.2.10 OpenVPN Peer-to-Peer server Advanced you can directly put:

    route 172.30.100.0 255.255.255.0
    

    Or from the server end 192.168.1.10 you can push the route to the client:

    push "route 172.30.100.0 255.255.255.0"
    

    Either is good.
    Then pfSense 192.168.1.10 will need a static route that says 172.30.100.0/24 is reached through 192.168.1.5
    Router Serpro at 192.168.1.5, if its default gateway is not already pfSense 192.168.1.10, will need to be told a static route that says 192.168.2.0/24 is reached through 192.168.1.10

    In this sort of setup with no routing protocol (OSPF etc) running, you need to look at each router and think about how will it know how to reach other networks that are not locally connected. Then find a way of telling it the routes - either "route" statements in the advanced box of OpenVPN, a static rouet in pfSense, or adding a route in some other router software box.

    Hi phil.davis

    I put the settings as instructed above, but still could not finish the traceroute to a network computer client to the ip 172.30.100.5. The pfSense does not understand that should send the package to the vpn tunnel. He sends to the wan port. If I do a traceroute to the ip of pfsense network of company it uses the tunnel.

    Both PFSense is default gw…



  • Use Diagnostics->Routes to see what routes end up in the routing table. The 192.168.2.10 pfSense should have a route to 172.30.100.0/24 that goes through the tunnel.
    The diagram mentions failover on the pfSense boxes - maybe you have rules feeding (policy routing) general internet traffic into gateway groups. If those rules are too broad, and include 172.30.100.0/24, then that would be forcing the traffic into the external gateways before the OpenVPN route gets looked at.



  • @phil.davis:

    Use Diagnostics->Routes to see what routes end up in the routing table. The 192.168.2.10 pfSense should have a route to 172.30.100.0/24 that goes through the tunnel.
    The diagram mentions failover on the pfSense boxes - maybe you have rules feeding (policy routing) general internet traffic into gateway groups. If those rules are too broad, and include 172.30.100.0/24, then that would be forcing the traffic into the external gateways before the OpenVPN route gets looked at.

    Could you please check my rules and say what can I do to solve this problem?





    ![Routing Table.jpg](/public/imported_attachments/1/Routing Table.jpg)
    ![Routing Table.jpg_thumb](/public/imported_attachments/1/Routing Table.jpg_thumb)



  • From the LAN rules, I don't think that you can reach 192.168.1.0/24 or 172.30.100.0/24 from the client LAN 192.168.2.0/24. The last LAN rule is directing it all into LoadBalance_Failover.
    I think this will work:
    a) Add an alias InternalNets for the networks 192.168.1.0/24 and 172.30.100.0/24
    b) Add a rule before the last LAN to LoadBalance_Failover rule. Pass source LAN net, Destination InternalNets, no gateway.
    The packets for those internal networks should be passed straight out of the packet filter and use the normal routing table.



  • @phil.davis:

    From the LAN rules, I don't think that you can reach 192.168.1.0/24 or 172.30.100.0/24 from the client LAN 192.168.2.0/24. The last LAN rule is directing it all into LoadBalance_Failover.
    I think this will work:
    a) Add an alias InternalNets for the networks 192.168.1.0/24 and 172.30.100.0/24
    b) Add a rule before the last LAN to LoadBalance_Failover rule. Pass source LAN net, Destination InternalNets, no gateway.
    The packets for those internal networks should be passed straight out of the packet filter and use the normal routing table.

    Now is working. Thank you!!


Log in to reply