Pfsense / open vpn netmask issue?



  • so i know this has been covered, and i've read some of it, but i can't quite wrap my head around it.

    what i'm working with is several subnets on one wire network. we have a 'main' network designated AAA.AA.AAA.0/24, and a specific subnet of interest designated BBB.BB.BBB.0/25

    my pfsense ip config is

    WAN AAA.AA.AAA.107/24
    LAN BBB.BB.BBB.107/24

    and for openvpn is

    tunnel BBB.BB.BBB.64/26
    local BBB.BB.BBB.0/25

    my windows 7 client connects successfully, and gets two custom routes that i need for specific machines (XXX.XX.XX.XXX/Y) to be accessed over the B subnet. only an addr in the B subnet can reach those hosts. so i sued my pfsense LAN as that subnet, and open vpn to assign an addr in that range. all seems to work well. sadly i get a subnet mask of /30 (.252). here is the routing table as a result of what i've done, and except for that stupid netmask, the whole thing looks right!

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    AAA.AA.AAA.1  AAA.AA.AAA.122    286
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        XXX.XX.XX.XXX  255.255.255.255    BBB.BB.BBB.1    BBB.BB.BBB.70    31
        XXX.XX.XX.XXY  255.255.255.255    BBB.BB.BBB.1    BBB.BB.BBB.70    31
        BBB.BB.BBB.0  255.255.255.128    BBB.BB.BBB.69    BBB.BB.BBB.70    30
        BBB.BB.BBB.65  255.255.255.255    BBB.BB.BBB.69    BBB.BB.BBB.70    30
        BBB.BB.BBB.68  255.255.255.252        On-link    BBB.BB.BBB.70    286
        BBB.BB.BBB.70  255.255.255.255        On-link    BBB.BB.BBB.70    286
        BBB.BB.BBB.71  255.255.255.255        On-link    BBB.BB.BBB.70    286
        AAA.AA.AAA.0    255.255.255.0        On-link    AAA.AA.AAA.122    286
      AAA.AA.AAA.122  255.255.255.255        On-link    AAA.AA.AAA.122    286
      AAA.AA.AAA.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link    AAA.AA.AAA.122    286
            224.0.0.0        240.0.0.0        On-link    BBB.BB.BBB.70    286
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
      255.255.255.255  255.255.255.255        On-link    BBB.BB.BBB.70    286

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0    AAA.AA.AAA.1  Default

    i've seen messages that involve that, but the only solution i found is changing the 'dev tap' config to 'dev tun' which my client already uses, or reference very old versions (i got the latest for VMware a few days ago). i'm sure i'm missing something, but for the life of me can't figure it out.

    thanks all for your patience and help.

    EDIT: i should add that i get an error message in the client that the BBB.BB.BBB.1 gateway can't be reached from any interface, which i can only guess if due to that /30 netmask.


  • Rebel Alliance Developer Netgate

    Which subnet mask are you thinking is wrong?

    It looks like how I'd expect OpenVPN's subnet mask for that setup to look, and the mask is correct for BBB.BBB.BBB.0/25 (255.255.255.128)



  • maybe i'm more thoroughly mis understanding this than i thought. the line i thought was the problem is:

    BBB.BB.BBB.68  255.255.255.252        On-link    BBB.BB.BBB.70    286

    and i thought it was the problem because it conflicts? with the line:

    BBB.BB.BBB.0  255.255.255.128    BBB.BB.BBB.69    BBB.BB.BBB.70    30

    but maybe not. long story short is that i can't pass any traffic beyond the pfsense box on the B subnet. it just goes nowhere. i've set all my firewall rules to wide open, in the hope of correcting this to no avail


  • Rebel Alliance Developer Netgate

    Ah, well yes those do overlap. The letters threw me off there. It's not the subnet mask's fault though.

    x.x.x.0/25 goes from x.x.x.0-x.x.x.127, your VPN can't be inside of that range anywhere.

    If you made your VPN subnet x.x.x.128/26 that would work. It has to be separate/distinct.



  • ok, so in a fit of frustration, i trashed the vm runing pfsense, and reinstalled. reconfigured, and as before everything went quite smoothly. many thanks for producing a really great distro! this time i went for 10 as my tunneling network, with my wan and lan assigned as before to eliminate any possibility of overlap. as before i've added pass all rules to my firewall. here is what my routing table now looks like:

    ===========================================================================
    Interface List
    20…xx xx xx xx xx xx ......TAP-Windows Adapter V9
    11...xx xx xx xx xx xx ......Broadcom NetLink (TM) Gigabit Ethernet
      1...........................Software Loopback Interface 1
    12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
    14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    AAA.AA.AAA.1  AAA.AA.AAA.122    286
          10.10.10.1  255.255.255.255      10.10.10.5      10.10.10.6    30
          10.10.10.4  255.255.255.252        On-link        10.10.10.6    286
          10.10.10.6  255.255.255.255        On-link        10.10.10.6    286
          10.10.10.7  255.255.255.255        On-link        10.10.10.6    286
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        BBB.BB.BBB.0  255.255.255.128      10.10.10.5      10.10.10.6    30
        AAA.AA.AAA.0    255.255.255.0        On-link    AAA.AA.AAA.122    286
      AAA.AA.AAA.122  255.255.255.255        On-link    AAA.AA.AAA.122    286
      AAA.AA.AAA.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link    AAA.AA.AAA.122    286
            224.0.0.0        240.0.0.0        On-link        10.10.10.6    286
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
      255.255.255.255  255.255.255.255        On-link        10.10.10.6    286

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0    AAA.AA.AAA.1  Default

    haven't added any extras yet, just an out-of-the-box type of config. the important destination network, and the reason for this vpn, is the BBB.BB.BBB.0 route in the table. i need my clients to be able to communicate from within that subnet. once up and operational, i still can't pass traffic to that net. nothing shows errors, so it seems that the function as it is now is how it is intended. this leaves me with a few fundamental questions:

    is this the intended operation of openvpn? if so what purpose does it serve other than to create a secure connection to the pfsense server? i must have missed something here.

    is there any way to create a setup that will allow my win7 clients to access this subnet, from an addr within this subnet, without having reconfigure thier current hw adapter?

    thanks again for all of your help in figuring this out!

    d


  • Banned

    So what does not work? Don't get me wrong, but these censored outputs are annoying like hell. Which "that net" does not work? Where are some configuration screenshots?  ::)



  • ok, i thought my last post was pretty clear, but maybe not. my goal with pfsense is this:

    i have desktop computers on a wire network with (since the letters are confusing, sorry, company says i can't post our ip's) a subnet of 192.168.17.0/24 (previously subnet A)
    i have a second subnet on the same wire network of 192.168.14.0/25 (previously subnet B) this subnet is linked to our customer

    target is to allow a computer in subnet A to send and receive traffic from an address in subnet B after requiring a user to enter a username and password
    the reason for this is that our customer has servers in subnet B which are secure, and due to their policy the security cannot be changed in any meaningful way

    the issue that i am having right now is that i can connect to the openvpn server on my pfsense vm, auth properly, and obtain an ip address and routing, but i cannot pass traffic, as the tunneling network is in the 10.0.0.0/8 subnet which is unroutable. with pptp, i could assign an addr from a pool that fell within subnet b, and pass traffic, but making necessary routing changed was prohibitively difficult. with openvpn, the routing changes are much simplified, but address assignment seems to be an issue. my suspicion now is that the /30 subnet that open vpn has given me seems to be an issue, and i'm not sure whay this is happening. user jimp had indicated it was due to an overlap in IP's, which i've corrected, but that hasn't changed the behavior. the current routing table result of a connection looks like this:

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.17.1  192.168.17.122    286
          10.10.10.1  255.255.255.255      10.10.10.5      10.10.10.6    30
          10.10.10.4  255.255.255.252        On-link        10.10.10.6    286
          10.10.10.6  255.255.255.255        On-link        10.10.10.6    286
          10.10.10.7  255.255.255.255        On-link        10.10.10.6    286
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        192.168.14.0  255.255.255.128      10.10.10.5      10.10.10.6    30
        192.168.17.0    255.255.255.0        On-link    192.168.17.122    286
      192.168.17.122  255.255.255.255        On-link    192.168.17.122    286
      192.168.17.255  255.255.255.255        On-link    192.168.17.122    286
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link    192.168.17.122    286
            224.0.0.0        240.0.0.0        On-link        10.10.10.6    286
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link    192.168.17.122    286
      255.255.255.255  255.255.255.255        On-link        10.10.10.6    286

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0    192.168.17.1  Default

    if i'm not able to work it out strictly through openvpn, i'm going to move on to openvpn/NAT next, but i'm trying to make sure i don't make my system overly complex.

    if there are any further clarifications, please let me know.






  • This appears to be a fairly simple setup.  Give us a network map with IP's, post your server1.conf and routing table from PFsense.



  • so sorry for the delay. got called in to work on another project.

    not entirely sure what you mean by a "network map" did you mean the graphical representation?
    our network is a single physical wired network which hosts several subnets with their own gateways in a common rack.
    the gateways share a switch to our isp allowing comm between subnets, and with our isp.
    the subnets of interest here are:
    192.168.17.0/24 -> 192.168.17.1
    192.168.14.0/25 -> 192.168.14.1

    thanks again for all your help. am really trying to get my company to move more toward opensource, and this would be another great step in that direction

    [2.0.3-RELEASE][root@vpn.abc.def.com]/root(5): cat /var/etc/openvpn/server1.conf
    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.17.107
    tls-server
    server 10.10.10.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 16
    push "route 192.168.14.0 255.255.255.128"
    push "dhcp-option DOMAIN abc.def.com"
    push "dhcp-option DNS 192.168.17.8"
    push "dhcp-option DNS 192.168.17.2"
    duplicate-cn
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    [2.0.3-RELEASE][root@vpn.abc.def.com]/root(49): netstat -r
    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            cav-firewall      UGS        0  1294165    em1
    10.10.10.0        10.10.10.2        UGS        0        0 ovpns1
    10.10.10.1        link#8            UHS        0        0    lo0
    10.10.10.2        link#8            UH          0        0 ovpns1
    localhost          link#6            UH          1      76    lo0
    192.168.14.0/25    link#1            U          0        7    em0
    vpn                link#1            UHS        0        0    lo0
    192.168.17.0      link#2            U          0    8381    em1
    192.168.17.107    link#2            UHS        0        0    lo0

    Internet6:
    Destination        Gateway            Flags      Netif Expire
    ::1                ::1                UH          lo0
    fe80::%em0        link#1            U          em0
    fe80::20c:29ff:fea link#1            UHS        lo0
    fe80::%em1        link#2            U          em1
    fe80::20c:29ff:fea link#2            UHS        lo0
    fe80::%lo0        link#6            U          lo0
    fe80::1%lo0        link#6            UHS        lo0
    fe80::%ovpns1      link#8            U        ovpns1
    fe80::20c:29ff:fea link#8            UHS        lo0
    ff01:1::          fe80::20c:29ff:fea U          em0
    ff01:2::          fe80::20c:29ff:fea U          em1
    ff01:6::          ::1                U          lo0
    ff01:8::          fe80::20c:29ff:fea U        ovpns1
    ff02::%em0        fe80::20c:29ff:fea U          em0
    ff02::%em1        fe80::20c:29ff:fea U          em1
    ff02::%lo0        ::1                U          lo0
    ff02::%ovpns1      fe80::20c:29ff:fea U        ovpns1



  • Yes, a graphical representation of your network (also unmask all the private subnets), e.g. here's a simple one for my home network:

    Internet -> PFsense (192.168.50.1/24) -> switch -> LAN

    Once we get your network map maybe we'll have a clearer picture, but just a couple things that look weird:

    Your config says your WAN IP on PFsense is 192.168.17.107, but then you go on to push DNS on the WAN subnet, which doesn't make sense.  (I'm guessing you want something on the 14.x side, since that's what you are routing thru the tunnel)

    Post a network map, so we can troubleshoot further.  Also, make sure your firewall rules (openvpn tab) are any/any for now.


Log in to reply