OpenVPN Multiple Gateways

theflu

I have 3 different pfsense boxes on the same network each has it own modem. The PfSense ips are 10.0.0.1, 10.0.0.2, 10.0.0.3. The box with 10.0.0.3 has openVPN running on it. I can connect to the VPN and access the devices that use the 10.0.0.3 gateway, but I can not access the devices that use the other 2 gateways. How do I get my VPN to be able to access the other devices?

IPs:
10.0.0.1/24 - pfsense gateway
10.0.0.2/24 - pfsense gateway
10.0.0.3/24 - pfsense gateway / openVPN Server
10.0.1.0/24 - openVPN IPs

Thanks,
Flu

theflu

On 10.0.0.1 pfsense i created a gateway to 10.0.0.3 and created a static route that pointed 10.0.1.0/24 to the 10.0.0.3 gateway. I saw the traffic getting blocked in the firewall going to 10.0.1.0/24 network. So created a LAN rule to allow any protocol from LAN Net to network 10.0.1.0/24 any port. But it is still being blocked in the firewall. I used the easy rule creation and its still getting blocked.

theflu

Nachtfalke

It looks like all the LAN interfaces of your three pfsense are on the same subnet, rght?
So if you have access with OpenVPN to pfsense3 then your VPN is working.

Check on pfsense2 and pfsense1 if you allow your OpenVPN IP-Subnet on the LAN firewall rule. Often there is only a rule which allows all traffic from "LAN Subnet" but your OpenVPN traffic is not originated from LAN subnet but from OpenVPN subnet.

Further make sure that your OpenVPN Tunnel network does not overlap with your LAN network (10.0.1.0/24). Overklapping networks on both sites could cause trubles.

Question:
Why are you using three pfsense boxes and not just one with LoadBalancing ? If this is only because of your servers then you can do policy based routing on pfsense LAN interface and rout server1 traffic through pfsense1 gateway and so on.

theflu

Yes all the pfsense boxes are on the same subnet.
The VPN does work. (I just can't access the servers on the different gateways)

Should I change the VPN subnet to something like 10.0.1.0/30?

The reason for the multiple pfsense boxes is for reliability if one goes out we don't want everything to go out and we have a lot of traffic like TBs a month.

pfsense 10.0.0.1 route:

pfsense 10.0.0.1 rule:

theflu

I changed the subnet for the VPN to 29 from 24 (I changed the subnet in the route and rule on 10.0.0.1 also)

The traffic is still getting blocked even with the rule posted above

This is the firewall log from pfsense 10.0.0.1

Nachtfalke

Hi again,

no need for any static routes to make OpenVPN work.
Your LAN is 10.0.0.0/24 - this is OK
Your VPN is 10.0.1.0/24 - this is OK

From Your OpenVPN client you can access 10.0.0.3 - right?
If this is working, than I assume your OpenVPN is correct and your firewall rules for OpenVPN on pfsense 10.0.0.3 are correct. What you have to do is:

• allow traffic from 10.0.1.0/24 on pfsense 10.0.0.1 and pfsense 10.0.0.2 LAN interfaces as source address

• allow traffic from 10.0.1.0/24 on your servers 10.0.0.10, 10.0.0.20, 10.0.0.30 (firewall)

theflu

Same results.

I changed the subnet back to 24
removed they gateway and route to 10.0.1.0/24

The servers do not have a firewall on them.

I added these rules:

This is the traffic being blocked by firewall on 10.0.0.1 (10.0.0.23 is the server i am trying to access)

rubic

The firewall on 10.0.0.1 drops SYN-ACK from 10.0.0.23 since it has no corresponding state. That's because initial SYN 10.0.1.6 -> 10.0.0.23 goes directly, not trough 10.0.0.1.
So first of all in System: Advanced: Firewall and NAT check 'Bypass firewall rules for traffic on the same interface', then of course bring the static routes back.

theflu

@rubic:

The firewall on 10.0.0.1 drops SYN-ACK from 10.0.0.23 since it has no corresponding state. That's because initial SYN 10.0.1.6 -> 10.0.0.23 goes directly, not trough 10.0.0.1.
So first of all in System: Advanced: Firewall and NAT check 'Bypass firewall rules for traffic on the same interface', then of course bring the static routes back.

Thank you! This worked perfectly!

theflu

I have one other question about openVPN.

I have```
Redirect Gateway  Force all client generated traffic through the tunnel.

http://10.0.0.20/ –---> Through the VPN
http://google.com/ ---> Through clients ISP

Nachtfalke

@theflu:

I have one other question about openVPN.

I have```
Redirect Gateway   Force all client generated traffic through the tunnel.

http://10.0.0.20/ –---> Through the VPN
http://google.com/ ---> Through clients ISP

Uncheck the "redirect all traffic through gateway" and set as the remote network on OpenVPN server your 10.0.0.0/24 network.
Restart OpenVPN server and reconnect OpenVPN client.

On OpenVPN client you can see with "netstat -rn" that there is a static route entry for the OpenVPN network and the rest will use your ISP.

theflu

Thank You. That worked.