Pfsense / open vpn netmask issue?
-
so i know this has been covered, and i've read some of it, but i can't quite wrap my head around it.
what i'm working with is several subnets on one wire network. we have a 'main' network designated AAA.AA.AAA.0/24, and a specific subnet of interest designated BBB.BB.BBB.0/25
my pfsense ip config is
WAN AAA.AA.AAA.107/24
LAN BBB.BB.BBB.107/24and for openvpn is
tunnel BBB.BB.BBB.64/26
local BBB.BB.BBB.0/25my windows 7 client connects successfully, and gets two custom routes that i need for specific machines (XXX.XX.XX.XXX/Y) to be accessed over the B subnet. only an addr in the B subnet can reach those hosts. so i sued my pfsense LAN as that subnet, and open vpn to assign an addr in that range. all seems to work well. sadly i get a subnet mask of /30 (.252). here is the routing table as a result of what i've done, and except for that stupid netmask, the whole thing looks right!
IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 AAA.AA.AAA.1 AAA.AA.AAA.122 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
XXX.XX.XX.XXX 255.255.255.255 BBB.BB.BBB.1 BBB.BB.BBB.70 31
XXX.XX.XX.XXY 255.255.255.255 BBB.BB.BBB.1 BBB.BB.BBB.70 31
BBB.BB.BBB.0 255.255.255.128 BBB.BB.BBB.69 BBB.BB.BBB.70 30
BBB.BB.BBB.65 255.255.255.255 BBB.BB.BBB.69 BBB.BB.BBB.70 30
BBB.BB.BBB.68 255.255.255.252 On-link BBB.BB.BBB.70 286
BBB.BB.BBB.70 255.255.255.255 On-link BBB.BB.BBB.70 286
BBB.BB.BBB.71 255.255.255.255 On-link BBB.BB.BBB.70 286
AAA.AA.AAA.0 255.255.255.0 On-link AAA.AA.AAA.122 286
AAA.AA.AAA.122 255.255.255.255 On-link AAA.AA.AAA.122 286
AAA.AA.AAA.255 255.255.255.255 On-link AAA.AA.AAA.122 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link AAA.AA.AAA.122 286
224.0.0.0 240.0.0.0 On-link BBB.BB.BBB.70 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link AAA.AA.AAA.122 286
255.255.255.255 255.255.255.255 On-link BBB.BB.BBB.70 286Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 AAA.AA.AAA.1 Defaulti've seen messages that involve that, but the only solution i found is changing the 'dev tap' config to 'dev tun' which my client already uses, or reference very old versions (i got the latest for VMware a few days ago). i'm sure i'm missing something, but for the life of me can't figure it out.
thanks all for your patience and help.
EDIT: i should add that i get an error message in the client that the BBB.BB.BBB.1 gateway can't be reached from any interface, which i can only guess if due to that /30 netmask.
-
Which subnet mask are you thinking is wrong?
It looks like how I'd expect OpenVPN's subnet mask for that setup to look, and the mask is correct for BBB.BBB.BBB.0/25 (255.255.255.128)
-
maybe i'm more thoroughly mis understanding this than i thought. the line i thought was the problem is:
BBB.BB.BBB.68 255.255.255.252 On-link BBB.BB.BBB.70 286
and i thought it was the problem because it conflicts? with the line:
BBB.BB.BBB.0 255.255.255.128 BBB.BB.BBB.69 BBB.BB.BBB.70 30
but maybe not. long story short is that i can't pass any traffic beyond the pfsense box on the B subnet. it just goes nowhere. i've set all my firewall rules to wide open, in the hope of correcting this to no avail
-
Ah, well yes those do overlap. The letters threw me off there. It's not the subnet mask's fault though.
x.x.x.0/25 goes from x.x.x.0-x.x.x.127, your VPN can't be inside of that range anywhere.
If you made your VPN subnet x.x.x.128/26 that would work. It has to be separate/distinct.
-
ok, so in a fit of frustration, i trashed the vm runing pfsense, and reinstalled. reconfigured, and as before everything went quite smoothly. many thanks for producing a really great distro! this time i went for 10 as my tunneling network, with my wan and lan assigned as before to eliminate any possibility of overlap. as before i've added pass all rules to my firewall. here is what my routing table now looks like:
===========================================================================
Interface List
20…xx xx xx xx xx xx ......TAP-Windows Adapter V9
11...xx xx xx xx xx xx ......Broadcom NetLink (TM) Gigabit Ethernet
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-InterfaceIPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 AAA.AA.AAA.1 AAA.AA.AAA.122 286
10.10.10.1 255.255.255.255 10.10.10.5 10.10.10.6 30
10.10.10.4 255.255.255.252 On-link 10.10.10.6 286
10.10.10.6 255.255.255.255 On-link 10.10.10.6 286
10.10.10.7 255.255.255.255 On-link 10.10.10.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
BBB.BB.BBB.0 255.255.255.128 10.10.10.5 10.10.10.6 30
AAA.AA.AAA.0 255.255.255.0 On-link AAA.AA.AAA.122 286
AAA.AA.AAA.122 255.255.255.255 On-link AAA.AA.AAA.122 286
AAA.AA.AAA.255 255.255.255.255 On-link AAA.AA.AAA.122 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link AAA.AA.AAA.122 286
224.0.0.0 240.0.0.0 On-link 10.10.10.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link AAA.AA.AAA.122 286
255.255.255.255 255.255.255.255 On-link 10.10.10.6 286Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 AAA.AA.AAA.1 Defaulthaven't added any extras yet, just an out-of-the-box type of config. the important destination network, and the reason for this vpn, is the BBB.BB.BBB.0 route in the table. i need my clients to be able to communicate from within that subnet. once up and operational, i still can't pass traffic to that net. nothing shows errors, so it seems that the function as it is now is how it is intended. this leaves me with a few fundamental questions:
is this the intended operation of openvpn? if so what purpose does it serve other than to create a secure connection to the pfsense server? i must have missed something here.
is there any way to create a setup that will allow my win7 clients to access this subnet, from an addr within this subnet, without having reconfigure thier current hw adapter?
thanks again for all of your help in figuring this out!
d
-
So what does not work? Don't get me wrong, but these censored outputs are annoying like hell. Which "that net" does not work? Where are some configuration screenshots? ::)
-
ok, i thought my last post was pretty clear, but maybe not. my goal with pfsense is this:
i have desktop computers on a wire network with (since the letters are confusing, sorry, company says i can't post our ip's) a subnet of 192.168.17.0/24 (previously subnet A)
i have a second subnet on the same wire network of 192.168.14.0/25 (previously subnet B) this subnet is linked to our customertarget is to allow a computer in subnet A to send and receive traffic from an address in subnet B after requiring a user to enter a username and password
the reason for this is that our customer has servers in subnet B which are secure, and due to their policy the security cannot be changed in any meaningful waythe issue that i am having right now is that i can connect to the openvpn server on my pfsense vm, auth properly, and obtain an ip address and routing, but i cannot pass traffic, as the tunneling network is in the 10.0.0.0/8 subnet which is unroutable. with pptp, i could assign an addr from a pool that fell within subnet b, and pass traffic, but making necessary routing changed was prohibitively difficult. with openvpn, the routing changes are much simplified, but address assignment seems to be an issue. my suspicion now is that the /30 subnet that open vpn has given me seems to be an issue, and i'm not sure whay this is happening. user jimp had indicated it was due to an overlap in IP's, which i've corrected, but that hasn't changed the behavior. the current routing table result of a connection looks like this:
IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.17.1 192.168.17.122 286
10.10.10.1 255.255.255.255 10.10.10.5 10.10.10.6 30
10.10.10.4 255.255.255.252 On-link 10.10.10.6 286
10.10.10.6 255.255.255.255 On-link 10.10.10.6 286
10.10.10.7 255.255.255.255 On-link 10.10.10.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.14.0 255.255.255.128 10.10.10.5 10.10.10.6 30
192.168.17.0 255.255.255.0 On-link 192.168.17.122 286
192.168.17.122 255.255.255.255 On-link 192.168.17.122 286
192.168.17.255 255.255.255.255 On-link 192.168.17.122 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.17.122 286
224.0.0.0 240.0.0.0 On-link 10.10.10.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.17.122 286
255.255.255.255 255.255.255.255 On-link 10.10.10.6 286Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.17.1 Defaultif i'm not able to work it out strictly through openvpn, i'm going to move on to openvpn/NAT next, but i'm trying to make sure i don't make my system overly complex.
if there are any further clarifications, please let me know.
-
This appears to be a fairly simple setup. Give us a network map with IP's, post your server1.conf and routing table from PFsense.
-
so sorry for the delay. got called in to work on another project.
not entirely sure what you mean by a "network map" did you mean the graphical representation?
our network is a single physical wired network which hosts several subnets with their own gateways in a common rack.
the gateways share a switch to our isp allowing comm between subnets, and with our isp.
the subnets of interest here are:
192.168.17.0/24 -> 192.168.17.1
192.168.14.0/25 -> 192.168.14.1thanks again for all your help. am really trying to get my company to move more toward opensource, and this would be another great step in that direction
[2.0.3-RELEASE][root@vpn.abc.def.com]/root(5): cat /var/etc/openvpn/server1.conf
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.17.107
tls-server
server 10.10.10.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 16
push "route 192.168.14.0 255.255.255.128"
push "dhcp-option DOMAIN abc.def.com"
push "dhcp-option DNS 192.168.17.8"
push "dhcp-option DNS 192.168.17.2"
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
[2.0.3-RELEASE][root@vpn.abc.def.com]/root(49): netstat -r
Routing tablesInternet:
Destination Gateway Flags Refs Use Netif Expire
default cav-firewall UGS 0 1294165 em1
10.10.10.0 10.10.10.2 UGS 0 0 ovpns1
10.10.10.1 link#8 UHS 0 0 lo0
10.10.10.2 link#8 UH 0 0 ovpns1
localhost link#6 UH 1 76 lo0
192.168.14.0/25 link#1 U 0 7 em0
vpn link#1 UHS 0 0 lo0
192.168.17.0 link#2 U 0 8381 em1
192.168.17.107 link#2 UHS 0 0 lo0Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
fe80::%em0 link#1 U em0
fe80::20c:29ff:fea link#1 UHS lo0
fe80::%em1 link#2 U em1
fe80::20c:29ff:fea link#2 UHS lo0
fe80::%lo0 link#6 U lo0
fe80::1%lo0 link#6 UHS lo0
fe80::%ovpns1 link#8 U ovpns1
fe80::20c:29ff:fea link#8 UHS lo0
ff01:1:: fe80::20c:29ff:fea U em0
ff01:2:: fe80::20c:29ff:fea U em1
ff01:6:: ::1 U lo0
ff01:8:: fe80::20c:29ff:fea U ovpns1
ff02::%em0 fe80::20c:29ff:fea U em0
ff02::%em1 fe80::20c:29ff:fea U em1
ff02::%lo0 ::1 U lo0
ff02::%ovpns1 fe80::20c:29ff:fea U ovpns1 -
Yes, a graphical representation of your network (also unmask all the private subnets), e.g. here's a simple one for my home network:
Internet -> PFsense (192.168.50.1/24) -> switch -> LAN
Once we get your network map maybe we'll have a clearer picture, but just a couple things that look weird:
Your config says your WAN IP on PFsense is 192.168.17.107, but then you go on to push DNS on the WAN subnet, which doesn't make sense. (I'm guessing you want something on the 14.x side, since that's what you are routing thru the tunnel)
Post a network map, so we can troubleshoot further. Also, make sure your firewall rules (openvpn tab) are any/any for now.