PfSense 2.0.3 with OpenVPN - routing problems
-
Hi all…
I wan't to establish secure connection to my servers ... I can and I did configure the pfSense and router using NAT rules so in normal situation (without OpenVPN) I can ssh to my servers ...
But since we live in a sniffing world I want to add more security to the setup. I added, configured and I run the OpenVPN service on pfSense box.All traffic from clients is redirected through pfSense box and clients connected to the pfSense can comunicate with each other.
But Im unable to establish connection to a devices behind pfSenses LAN when I'm connected to the pfSense box using OVPN.
I can ping or connect via SSH to the "client C" from "server A"; But in opposite direction no go.
I did added push "route 192.168.186.0 255.255.255.0" but this doesn't help.I traced down the problem … and I think I must somehow route the traffic from 192.168.186.0/24 to the LAN (192.168.1.1)
But I tried to add static routes on pfSense box using shell
route add -net 192.168.186.0/24 192.168.1.1 or
route add -net 192.168.186.0/24 192.168.1.10But still noting works… hm....
Here is the output of pinging
PING 192.168.186.1 (192.168.186.1): 56 data bytes 36 bytes from asr-lj.amis.net (212.x.x.x): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 4103 0 0000 3f 01 b2cf 90.157.178.143 192.168.186.1 36 bytes from asr-lj.amis.net (212.x.x.x): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 4d84 0 0000 3f 01 a64e 90.157.178.143 192.168.186.1 ^C --- 192.168.186.1 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet lossHere is my setup:
–--------------------------
| client C |
| 192.168.64.x |
| |
----------------------------
WAN (188.x.x.x)
|
|
|
WAN (90.x.x.x)
----------------------------
| pfSense box |
| |
| |
----------------------------
|
192.168.1.1 (LAN)
|
|
|
192.168.1.10 (router WAN IP)
----------------------------
| router |
| |
| |
----------------------------
192.168.186.1 (router LAN IP)
| |
-------------------- -------------
| server | | server |
| A | | B |
| 192.168.186.118| | |
--------------------- -------------This is a ifconfig, and several PING outputs from "client A"
user@clientA:~$ ifconfig eth0 Link encap:Ethernet HWaddr b8:27:eb:04:b7:80 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.0.8.10 P-t-P:10.0.8.9 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:1681 errors:0 dropped:0 overruns:0 frame:0 TX packets:113 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:208714 (203.8 KiB) TX bytes:11796 (11.5 KiB) wlan0 Link encap:Ethernet HWaddr 34:08:04:33:c2:57 inet addr:192.168.64.106 Bcast:192.168.64.255 Mask:255.255.255.0 inet6 addr: fe80::3608:4ff:fe33:c257/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:52565 errors:0 dropped:0 overruns:0 frame:0 TX packets:60381 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:32727913 (31.2 MiB) TX bytes:6873419 (6.5 MiB) user@clientA:~$ netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.8.9 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.64.1 0.0.0.0 UG 0 0 0 wlan0 10.0.8.0 10.0.8.9 255.255.255.0 UG 0 0 0 tun0 10.0.8.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 90.X.X.X 192.168.64.1 255.255.255.255 UGH 0 0 0 wlan0 128.0.0.0 10.0.8.9 128.0.0.0 UG 0 0 0 tun0 192.168.64.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 192.168.186.0 10.0.8.9 255.255.255.0 UG 0 0 0 tun0 (this is probably not needed) user@clientA:~$ [b]ping 192.168.186.118[/b] PING 192.168.186.118 (192.168.186.118) 56(84) bytes of data. From 212.x.x.x icmp_seq=1 Packet filtered From 212.x.x.x icmp_seq=2 Packet filtered From 212.x.x.x icmp_seq=3 Packet filtered ^C --- 192.168.186.118 ping statistics --- 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2003ms user@clientA:~$ ping 192.168.186.1 PING 192.168.186.1 (192.168.186.1) 56(84) bytes of data. From 212.x.x.x icmp_seq=1 Packet filtered From 212.x.x.x icmp_seq=2 Packet filtered ^C --- 192.168.186.1 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms user@clientA:~$ ping 192.168.1.10 PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data. 64 bytes from 192.168.1.10: icmp_req=1 ttl=63 time=9.09 ms 64 bytes from 192.168.1.10: icmp_req=2 ttl=63 time=13.8 ms ^C --- 192.168.1.10 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 9.098/11.470/13.842/2.372 ms user@clientA:~$ ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=12.9 ms 64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=37.0 ms 64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=14.6 ms --- 192.168.1.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 12.919/21.539/37.070/11.004 ms user@clientA:~$ -
Hm…
I can however add a few rules to the NAT.OpenVPN TCP/UDP * * 192.168.186.0/24 22 (SSH) 192.168.1.10 22
And this works... so I'll go this way ...
If someone has any other solution ... please post it anywaythanks,
p.