Dual Wan with Open VPN

mizunopearl

I have two networks, one is a remote network and the other is my Central Network.  I have two PFSense boxes at both sites, and the connect to each other using a fiber connection.  I have an OpenVPN tunnel going through this fiber connection from the remote network to the Central Network.  My internet is on my Central Network.  What I need is the clients on my remote side to get their internet from my Central network through the VPN tunnel.  I already have the tunnel up, but I can't get it to use my Central Networks Internet.

Here is a diagram of my set up.http://www.gliffy.com/pubdoc/1268749/L.jpg

Any help will be appreciated.

markdueck

I'm no pro at this, but in this post - http://forum.pfsense.org/index.php/topic,5835.0.html

• they just told me to:

add something like this to your server-config
push "redirect-gateway def1"
push "dhcp-option DNS x.x.x.x"

that should push the internet from the clients over the VPN.  This config I'm sure will work if you connect directly with the clients to the VPN server, but you're connecting clients through a tunnel created by the VPN, so you might need to set proper gateways or something else might be needed to get it to work.

mizunopearl

I forgot to mention that the interface that connects the central site to the remote site is the optional interface (OPT1).  The Wan Interface on my Central box connects to my ISP

I tried what you suggested and I couldn't get through.

GruensFroeschli

what other kinds of connection does your remote site have?
only this fiber connection to you?
i suppose you use the OpenVPN encryption as protection of the data on the fibreline.

with a setup about like this it should work:

remote side: change the "allow all"-rule on your LAN that it uses the OpenVPN-server in your local network as default gateway.

local side: add static routes to your pfSense so it knows that the 172.66.1.x network is availlable over 192.18.10.1
if you configure your openVPN correctly on your local side, this is done by the openVPN-process.
your local pfSense need's to know where to send the traffic back to :)

mizunopearl

All Internet that this remote site gets is from my Central Site through the VPN tunnel.

The VPN tunnel is for data protection on the fiber line.

I've tried what you suggested, and I can ping my WAN from the remote side, but I can't get out to the internet from the remote side.

I revamped my network diagram, since my first one lacks some information.
Here is an updated version of my network design:

http://www.gliffy.com/pubdoc/1270340/L.jpg

GruensFroeschli

one thing i just noticed: 172.66.x.x and 172.33.x.x are not private ranges.

allowed private ranges are:
192.168.x.x
or
172.16.x.x up to 172.31.x.x
or
10.x.x.x

you mean you can ping as a client from within the 172.66.1.x range your IP 66.x.x.x you have on the public side on the internet?
can you also ping the IP of the next hop? maybe the gateway of your central pfSense?

is it possible that the route to the internet is working but you cannot resolve names?

mizunopearl

I just plugged in those numbers, as an example. The Wan IP are the same.

The real ranges are Remote site LAN: 172.19.x.x and Central Site Lan 172.16.x.x Sorry.

I can go to the Internet from my Central PFSense box, which means that internet does work at the central site level.

However on the Remote site I can ping to the Wan IP of my Central PFSense box 66.x.x.x  but not past it. Therefore I can't get out to the Internet from the Remote site.

Is the Openvpn not pushing the right gateway?  If it's trying to push the Central Sites fiber gateway, 192.168.1.10  instead of the Central sites WAN IP gateway 66.x.x.x.  could that be why I can't reach past the WAN IP gateway on my remote side.

GruensFroeschli

are you pinging from the remote pfSense itself or from a client in the remote network?

it's possible that traffic from your openVPN server is not NATed.
try enabling Advanced outbound NAT and create a rule that NAT's traffic from your subnets that come over openVPN.

Is the Openvpn not pushing the right gateway?  If it's trying to push the Central Sites fiber gateway, 192.168.1.10  instead of the Central sites WAN IP gateway 66.x.x.x.  could that be why I can't reach past the WAN IP gateway on my remote side.

192.168.10.2 IS your gateway seen from the remote network. not 66.x.x.x that's only the WAN ip to which is NAT'ed.

mizunopearl

Thanks that was exactly what it was.  I changed my Nat around and it worked.

I owe you!