Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Multiple Gateways

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 3 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      theflu
      last edited by

      I have 3 different pfsense boxes on the same network each has it own modem. The PfSense ips are 10.0.0.1, 10.0.0.2, 10.0.0.3. The box with 10.0.0.3 has openVPN running on it. I can connect to the VPN and access the devices that use the 10.0.0.3 gateway, but I can not access the devices that use the other 2 gateways. How do I get my VPN to be able to access the other devices?

      IPs:
      10.0.0.1/24 - pfsense gateway
      10.0.0.2/24 - pfsense gateway
      10.0.0.3/24 - pfsense gateway / openVPN Server
      10.0.1.0/24 - openVPN IPs

      Thanks,
      Flu

      1 Reply Last reply Reply Quote 0
      • T
        theflu
        last edited by

        On 10.0.0.1 pfsense i created a gateway to 10.0.0.3 and created a static route that pointed 10.0.1.0/24 to the 10.0.0.3 gateway. I saw the traffic getting blocked in the firewall going to 10.0.1.0/24 network. So created a LAN rule to allow any protocol from LAN Net to network 10.0.1.0/24 any port. But it is still being blocked in the firewall. I used the easy rule creation and its still getting blocked.

        1 Reply Last reply Reply Quote 0
        • T
          theflu
          last edited by

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            It looks like all the LAN interfaces of your three pfsense are on the same subnet, rght?
            So if you have access with OpenVPN to pfsense3 then your VPN is working.

            Check on pfsense2 and pfsense1 if you allow your OpenVPN IP-Subnet on the LAN firewall rule. Often there is only a rule which allows all traffic from "LAN Subnet" but your OpenVPN traffic is not originated from LAN subnet but from OpenVPN subnet.

            Further make sure that your OpenVPN Tunnel network does not overlap with your LAN network (10.0.1.0/24). Overklapping networks on both sites could cause trubles.

            Question:
            Why are you using three pfsense boxes and not just one with LoadBalancing ? If this is only because of your servers then you can do policy based routing on pfsense LAN interface and rout server1 traffic through pfsense1 gateway and so on.

            1 Reply Last reply Reply Quote 0
            • T
              theflu
              last edited by

              Yes all the pfsense boxes are on the same subnet.
              The VPN does work. (I just can't access the servers on the different gateways)

              Should I change the VPN subnet to something like 10.0.1.0/30?

              The reason for the multiple pfsense boxes is for reliability if one goes out we don't want everything to go out and we have a lot of traffic like TBs a month.

              pfsense 10.0.0.1 route:

              pfsense 10.0.0.1 rule:

              1 Reply Last reply Reply Quote 0
              • T
                theflu
                last edited by

                I changed the subnet for the VPN to 29 from 24 (I changed the subnet in the route and rule on 10.0.0.1 also)

                The traffic is still getting blocked even with the rule posted above

                This is the firewall log from pfsense 10.0.0.1

                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke
                  last edited by

                  Hi again,

                  no need for any static routes to make OpenVPN work.
                  Your LAN is 10.0.0.0/24 - this is OK
                  Your VPN is 10.0.1.0/24 - this is OK

                  From Your OpenVPN client you can access 10.0.0.3 - right?
                  If this is working, than I assume your OpenVPN is correct and your firewall rules for OpenVPN on pfsense 10.0.0.3 are correct. What you have to do is:

                  • allow traffic from 10.0.1.0/24 on pfsense 10.0.0.1 and pfsense 10.0.0.2 LAN interfaces as source address

                  • allow traffic from 10.0.1.0/24 on your servers 10.0.0.10, 10.0.0.20, 10.0.0.30 (firewall)

                  1 Reply Last reply Reply Quote 0
                  • T
                    theflu
                    last edited by

                    Same results.

                    I changed the subnet back to 24
                    removed they gateway and route to 10.0.1.0/24

                    The servers do not have a firewall on them.

                    I added these rules:

                    This is the traffic being blocked by firewall on 10.0.0.1 (10.0.0.23 is the server i am trying to access)

                    1 Reply Last reply Reply Quote 0
                    • R
                      rubic
                      last edited by

                      The firewall on 10.0.0.1 drops SYN-ACK from 10.0.0.23 since it has no corresponding state. That's because initial SYN 10.0.1.6 -> 10.0.0.23 goes directly, not trough 10.0.0.1.
                      So first of all in System: Advanced: Firewall and NAT check 'Bypass firewall rules for traffic on the same interface', then of course bring the static routes back.

                      1 Reply Last reply Reply Quote 0
                      • T
                        theflu
                        last edited by

                        @rubic:

                        The firewall on 10.0.0.1 drops SYN-ACK from 10.0.0.23 since it has no corresponding state. That's because initial SYN 10.0.1.6 -> 10.0.0.23 goes directly, not trough 10.0.0.1.
                        So first of all in System: Advanced: Firewall and NAT check 'Bypass firewall rules for traffic on the same interface', then of course bring the static routes back.

                        Thank you! This worked perfectly!

                        1 Reply Last reply Reply Quote 0
                        • T
                          theflu
                          last edited by

                          I have one other question about openVPN.

                          I have```
                          Redirect Gateway  Force all client generated traffic through the tunnel.

                          
                          http://10.0.0.20/ –---> Through the VPN
                          http://google.com/ ---> Through clients ISP
                          1 Reply Last reply Reply Quote 0
                          • N
                            Nachtfalke
                            last edited by

                            @theflu:

                            I have one other question about openVPN.

                            I have```
                            Redirect Gateway   Force all client generated traffic through the tunnel.

                            
                            http://10.0.0.20/ –---> Through the VPN
                            http://google.com/ ---> Through clients ISP
                            

                            Uncheck the "redirect all traffic through gateway" and set as the remote network on OpenVPN server your 10.0.0.0/24 network.
                            Restart OpenVPN server and reconnect OpenVPN client.

                            On OpenVPN client you can see with "netstat -rn" that there is a static route entry for the OpenVPN network and the rest will use your ISP.

                            1 Reply Last reply Reply Quote 0
                            • T
                              theflu
                              last edited by

                              Thank You. That worked.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.