Two subnets, can't access one



  • Hi all, thanks in advance for any help.

    We have two separate internet connections at our office. Number 1 is connected to pfsense on WAN. Number 2 is connected to a CISCO appliance that connects our network to our head office via VPN.

    We have an "internal" and "external" network. The internal has IP addresses in the 10.129.1.0/16 range. Hosts in this network have 10.129.1.1 (the IP of the CISCO appliance) as gateway. Our external network is set up as OPT1 on pfsense. This network is 172.16.30.0/24, with OPT1 as 172.16.30.1. The "LAN" interface on pfsense is connected to the "internal" network and has an IP of 10.129.1.200, with no gateway. But for the connections to the pfsense box, these two networks are completely separate.

    I have set up an LDAP connection in pfsense to our AD server in the internal network (10.129.1.10), and this connection works correctly. It works to authenticate users via OpenVPN. Pinging hosts on 10.129.1.0/16 works via the ping tool in pfsense.

    What I want to be able to do is have a user connect to pfsense through Internet #1 via OpenVPN, and be able to access the resources on the "internal" network (servers behind our CISCO appliance). Thus far, my configuration attempts have failed. I can give users access to hosts on the "external" network via OpenVPN (have access to 172.16.30.0/24) no problem, but when I use the same config except substituting 10.129.1.0/16 as the local network in the tunnel settings, I can't access anything in the 10.129.1.0/16 range. I think this is because the hosts on the "internal" network have a gateway of 10.129.1.1.

    The wrinkle is, this configuration was working using OpenVPN Access Server on Ubuntu in previous testing, so I suspect that this is a simple matter with a simple solution.

    Thanks for any help!!

    Mark



  • By "external network" I am assuming it is not actually external to you - it is local on OPT1. It is a sort of DMZ, a subnet that you can manage locally separate to the corporate 10.129 stuff.
    For examples, lets say the OpenVPN tunnel network is 10.42.42.0/24
    The AD authentication will be working because that is just packets between 10.129.1.200 and 10.29.1.10 - local traffic on your internal LAN - no routing needed.
    The CISCO at 10.129.1.1 is going to need a static route added to tell it that 10.42.42.0/24 is reached through gateway 10.129.1.200 (the pfSense), or;
    Every system on the LAN that needs access by the OpenVPN users has to have an extra route added for 10.42.42.0/24 gateway 10.129.1.200

    I presume your LAN is the whole of 10.129.0.0/16 - and the CISCO then routes to other office/s in other parts of the company, like head office 10.128.0.0/16. If you want OpenVPN users to get to head office etc then the CISCO network in general needs to know routes to the OpenVPN 10.42.42.0/24 - you do need to get cooperation of the rest of the organisation when you add "dial-in" VPN to a branch office and want those users to be able to access internal company network private IP address resources.



  • Would a possible solution be to NAT the OpenVPN network (for example 10.30.0.0/24) to the LAN IP 10.129.1.200, so that the "internal" network thinks that any VPN requests are coming from 10.129.1.200 and so would not need these additional routes?

    I've set up an outbound NAT rule as follows:

    http://imgur.com/bVX509P

    I think that this should translate any traffic on 10.30.0.0/24 destined for 10.129.0.0/16 to the LAN IP address (in this case, 10.129.1.200). But in my case, it still isn't working. Can anyone tell me if this looks correct?

    Or, do I need to add any firewall rules to allow this traffic, or is the default Allow to Any rule sufficient?

    Thanks again in advance.



  • The principle is fine - the NAT will hide the "real" OpenVPN network behind the pfSense LAN IP. Assuming 10.30.0.0/24 is the OpenVPN then it should work. Can anyone else spot the error or extra step needed here?



  • Just wanted to post a follow-up. Not sure why, but this config (NAT through the LAN address with the posted config) is working properly today. Thanks for the replies!