PfSense 2.0.3 with OpenVPN - routing problems



  • Hi all…

    I wan't to establish secure connection to my servers ... I can and I did configure the pfSense and router using NAT rules so in normal situation (without OpenVPN) I can ssh to my servers ...
    But since we live in a sniffing world I want to add more security to the setup. I added, configured and I run the OpenVPN service on pfSense box.

    All traffic from clients is redirected through pfSense box and clients connected to the pfSense can comunicate with each other.

    But Im unable to establish connection to a devices behind pfSenses LAN when I'm connected to the pfSense box using OVPN.

    I can ping or connect via SSH to the "client C" from "server A"; But in opposite direction no go.
    I did added push "route 192.168.186.0 255.255.255.0" but this doesn't help.

    I traced down the problem … and I think I must somehow route the traffic from 192.168.186.0/24 to the LAN (192.168.1.1)

    But I tried to add static routes on pfSense box using shell
    route add -net 192.168.186.0/24 192.168.1.1 or
    route add -net 192.168.186.0/24 192.168.1.10

    But still noting works… hm....

    Here is the output of pinging

    
    PING 192.168.186.1 (192.168.186.1): 56 data bytes
    36 bytes from asr-lj.amis.net (212.x.x.x): Communication prohibited by filter
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  00 5400 4103   0 0000  3f  01 b2cf 90.157.178.143  192.168.186.1 
    
    36 bytes from asr-lj.amis.net (212.x.x.x): Communication prohibited by filter
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  00 5400 4d84   0 0000  3f  01 a64e 90.157.178.143  192.168.186.1 
    
    ^C
    --- 192.168.186.1 ping statistics ---
    2 packets transmitted, 0 packets received, 100.0% packet loss
    
    

    Here is my setup:

    –--------------------------
                |    client    C              |
                |  192.168.64.x            |
                |                                |
                ----------------------------
                          WAN  (188.x.x.x)
                            |
                            |
                            |
                          WAN (90.x.x.x)
                ----------------------------
                |    pfSense box          |
                |                                |
                |                                |
                ----------------------------
                        |
                      192.168.1.1 (LAN)
                        |
                        |
                        |
                  192.168.1.10 (router WAN IP)
                ----------------------------
                |    router                  |
                |                                |
                |                                |
                ----------------------------
                  192.168.186.1 (router LAN IP)
                        |                    |
                --------------------    -------------
                |    server        |  |      server |
                |        A            |  |      B      |
                | 192.168.186.118|  |              |
                ---------------------    -------------

    This is a ifconfig, and several PING outputs from "client A"

    
    user@clientA:~$ ifconfig
    eth0      Link encap:Ethernet  HWaddr b8:27:eb:04:b7:80  
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
              inet addr:10.0.8.10  P-t-P:10.0.8.9  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:1681 errors:0 dropped:0 overruns:0 frame:0
              TX packets:113 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100 
              RX bytes:208714 (203.8 KiB)  TX bytes:11796 (11.5 KiB)
    
    wlan0     Link encap:Ethernet  HWaddr 34:08:04:33:c2:57  
              inet addr:192.168.64.106  Bcast:192.168.64.255  Mask:255.255.255.0
              inet6 addr: fe80::3608:4ff:fe33:c257/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:52565 errors:0 dropped:0 overruns:0 frame:0
              TX packets:60381 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:32727913 (31.2 MiB)  TX bytes:6873419 (6.5 MiB)
    
    user@clientA:~$ netstat -nr
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    0.0.0.0         10.0.8.9        128.0.0.0       UG        0 0          0 tun0
    0.0.0.0         192.168.64.1    0.0.0.0         UG        0 0          0 wlan0
    10.0.8.0        10.0.8.9        255.255.255.0   UG        0 0          0 tun0
    10.0.8.9        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
    90.X.X.X        192.168.64.1    255.255.255.255 UGH       0 0          0 wlan0
    128.0.0.0       10.0.8.9        128.0.0.0       UG        0 0          0 tun0
    192.168.64.0    0.0.0.0         255.255.255.0   U         0 0          0 wlan0
    192.168.186.0   10.0.8.9        255.255.255.0   UG        0 0          0 tun0 (this is probably not needed)
    user@clientA:~$ [b]ping 192.168.186.118[/b]
    PING 192.168.186.118 (192.168.186.118) 56(84) bytes of data.
    From 212.x.x.x icmp_seq=1 Packet filtered
    From 212.x.x.x icmp_seq=2 Packet filtered
    From 212.x.x.x icmp_seq=3 Packet filtered
    ^C
    --- 192.168.186.118 ping statistics ---
    3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2003ms
    
    user@clientA:~$ ping 192.168.186.1  
    PING 192.168.186.1 (192.168.186.1) 56(84) bytes of data.
    From 212.x.x.x icmp_seq=1 Packet filtered
    From 212.x.x.x icmp_seq=2 Packet filtered
    ^C
    --- 192.168.186.1 ping statistics ---
    2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms
    
    user@clientA:~$ ping 192.168.1.10   
    PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
    64 bytes from 192.168.1.10: icmp_req=1 ttl=63 time=9.09 ms
    64 bytes from 192.168.1.10: icmp_req=2 ttl=63 time=13.8 ms
    ^C
    --- 192.168.1.10 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 9.098/11.470/13.842/2.372 ms
    user@clientA:~$ ping 192.168.1.1 
    PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
    64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=12.9 ms
    64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=37.0 ms
    64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=14.6 ms
    
    --- 192.168.1.1 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2001ms
    rtt min/avg/max/mdev = 12.919/21.539/37.070/11.004 ms
    user@clientA:~$ 
    
    


  • Hm…
    I can however add a few rules to the NAT.

    OpenVPN TCP/UDP * * 192.168.186.0/24 22 (SSH) 192.168.1.10 22

    And this works... so I'll go this way ...
    If someone has any other solution ... please post it anyway

    thanks,
    p.


Log in to reply