• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Pfsense / open vpn netmask issue?

Scheduled Pinned Locked Moved OpenVPN
10 Posts 4 Posters 3.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    lostgeek
    last edited by Aug 19, 2013, 6:01 PM Aug 19, 2013, 5:51 PM

    so i know this has been covered, and i've read some of it, but i can't quite wrap my head around it.

    what i'm working with is several subnets on one wire network. we have a 'main' network designated AAA.AA.AAA.0/24, and a specific subnet of interest designated BBB.BB.BBB.0/25

    my pfsense ip config is

    WAN AAA.AA.AAA.107/24
    LAN BBB.BB.BBB.107/24

    and for openvpn is

    tunnel BBB.BB.BBB.64/26
    local BBB.BB.BBB.0/25

    my windows 7 client connects successfully, and gets two custom routes that i need for specific machines (XXX.XX.XX.XXX/Y) to be accessed over the B subnet. only an addr in the B subnet can reach those hosts. so i sued my pfsense LAN as that subnet, and open vpn to assign an addr in that range. all seems to work well. sadly i get a subnet mask of /30 (.252). here is the routing table as a result of what i've done, and except for that stupid netmask, the whole thing looks right!

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    AAA.AA.AAA.1  AAA.AA.AAA.122    286
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        XXX.XX.XX.XXX  255.255.255.255    BBB.BB.BBB.1    BBB.BB.BBB.70    31
        XXX.XX.XX.XXY  255.255.255.255    BBB.BB.BBB.1    BBB.BB.BBB.70    31
        BBB.BB.BBB.0  255.255.255.128    BBB.BB.BBB.69    BBB.BB.BBB.70    30
        BBB.BB.BBB.65  255.255.255.255    BBB.BB.BBB.69    BBB.BB.BBB.70    30
        BBB.BB.BBB.68  255.255.255.252        On-link    BBB.BB.BBB.70    286
        BBB.BB.BBB.70  255.255.255.255        On-link    BBB.BB.BBB.70    286
        BBB.BB.BBB.71  255.255.255.255        On-link    BBB.BB.BBB.70    286
        AAA.AA.AAA.0    255.255.255.0        On-link    AAA.AA.AAA.122    286
      AAA.AA.AAA.122  255.255.255.255        On-link    AAA.AA.AAA.122    286
      AAA.AA.AAA.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link    AAA.AA.AAA.122    286
            224.0.0.0        240.0.0.0        On-link    BBB.BB.BBB.70    286
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
      255.255.255.255  255.255.255.255        On-link    BBB.BB.BBB.70    286

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0    AAA.AA.AAA.1  Default

    i've seen messages that involve that, but the only solution i found is changing the 'dev tap' config to 'dev tun' which my client already uses, or reference very old versions (i got the latest for VMware a few days ago). i'm sure i'm missing something, but for the life of me can't figure it out.

    thanks all for your patience and help.

    EDIT: i should add that i get an error message in the client that the BBB.BB.BBB.1 gateway can't be reached from any interface, which i can only guess if due to that /30 netmask.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Aug 19, 2013, 6:45 PM

      Which subnet mask are you thinking is wrong?

      It looks like how I'd expect OpenVPN's subnet mask for that setup to look, and the mask is correct for BBB.BBB.BBB.0/25 (255.255.255.128)

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • L
        lostgeek
        last edited by Aug 19, 2013, 7:25 PM

        maybe i'm more thoroughly mis understanding this than i thought. the line i thought was the problem is:

        BBB.BB.BBB.68  255.255.255.252        On-link    BBB.BB.BBB.70    286

        and i thought it was the problem because it conflicts? with the line:

        BBB.BB.BBB.0  255.255.255.128    BBB.BB.BBB.69    BBB.BB.BBB.70    30

        but maybe not. long story short is that i can't pass any traffic beyond the pfsense box on the B subnet. it just goes nowhere. i've set all my firewall rules to wide open, in the hope of correcting this to no avail

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Aug 19, 2013, 7:55 PM

          Ah, well yes those do overlap. The letters threw me off there. It's not the subnet mask's fault though.

          x.x.x.0/25 goes from x.x.x.0-x.x.x.127, your VPN can't be inside of that range anywhere.

          If you made your VPN subnet x.x.x.128/26 that would work. It has to be separate/distinct.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • L
            lostgeek
            last edited by Aug 21, 2013, 5:42 PM

            ok, so in a fit of frustration, i trashed the vm runing pfsense, and reinstalled. reconfigured, and as before everything went quite smoothly. many thanks for producing a really great distro! this time i went for 10 as my tunneling network, with my wan and lan assigned as before to eliminate any possibility of overlap. as before i've added pass all rules to my firewall. here is what my routing table now looks like:

            ===========================================================================
            Interface List
            20…xx xx xx xx xx xx ......TAP-Windows Adapter V9
            11...xx xx xx xx xx xx ......Broadcom NetLink (TM) Gigabit Ethernet
              1...........................Software Loopback Interface 1
            12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
            13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
            14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

            IPv4 Route Table

            Active Routes:
            Network Destination        Netmask          Gateway      Interface  Metric
                      0.0.0.0          0.0.0.0    AAA.AA.AAA.1  AAA.AA.AAA.122    286
                  10.10.10.1  255.255.255.255      10.10.10.5      10.10.10.6    30
                  10.10.10.4  255.255.255.252        On-link        10.10.10.6    286
                  10.10.10.6  255.255.255.255        On-link        10.10.10.6    286
                  10.10.10.7  255.255.255.255        On-link        10.10.10.6    286
                    127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                    127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
              127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                BBB.BB.BBB.0  255.255.255.128      10.10.10.5      10.10.10.6    30
                AAA.AA.AAA.0    255.255.255.0        On-link    AAA.AA.AAA.122    286
              AAA.AA.AAA.122  255.255.255.255        On-link    AAA.AA.AAA.122    286
              AAA.AA.AAA.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
                    224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                    224.0.0.0        240.0.0.0        On-link    AAA.AA.AAA.122    286
                    224.0.0.0        240.0.0.0        On-link        10.10.10.6    286
              255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
              255.255.255.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
              255.255.255.255  255.255.255.255        On-link        10.10.10.6    286

            Persistent Routes:
              Network Address          Netmask  Gateway Address  Metric
                      0.0.0.0          0.0.0.0    AAA.AA.AAA.1  Default

            haven't added any extras yet, just an out-of-the-box type of config. the important destination network, and the reason for this vpn, is the BBB.BB.BBB.0 route in the table. i need my clients to be able to communicate from within that subnet. once up and operational, i still can't pass traffic to that net. nothing shows errors, so it seems that the function as it is now is how it is intended. this leaves me with a few fundamental questions:

            is this the intended operation of openvpn? if so what purpose does it serve other than to create a secure connection to the pfsense server? i must have missed something here.

            is there any way to create a setup that will allow my win7 clients to access this subnet, from an addr within this subnet, without having reconfigure thier current hw adapter?

            thanks again for all of your help in figuring this out!

            d

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by Aug 21, 2013, 5:50 PM

              So what does not work? Don't get me wrong, but these censored outputs are annoying like hell. Which "that net" does not work? Where are some configuration screenshots?  ::)

              1 Reply Last reply Reply Quote 0
              • L
                lostgeek
                last edited by Aug 22, 2013, 7:06 PM

                ok, i thought my last post was pretty clear, but maybe not. my goal with pfsense is this:

                i have desktop computers on a wire network with (since the letters are confusing, sorry, company says i can't post our ip's) a subnet of 192.168.17.0/24 (previously subnet A)
                i have a second subnet on the same wire network of 192.168.14.0/25 (previously subnet B) this subnet is linked to our customer

                target is to allow a computer in subnet A to send and receive traffic from an address in subnet B after requiring a user to enter a username and password
                the reason for this is that our customer has servers in subnet B which are secure, and due to their policy the security cannot be changed in any meaningful way

                the issue that i am having right now is that i can connect to the openvpn server on my pfsense vm, auth properly, and obtain an ip address and routing, but i cannot pass traffic, as the tunneling network is in the 10.0.0.0/8 subnet which is unroutable. with pptp, i could assign an addr from a pool that fell within subnet b, and pass traffic, but making necessary routing changed was prohibitively difficult. with openvpn, the routing changes are much simplified, but address assignment seems to be an issue. my suspicion now is that the /30 subnet that open vpn has given me seems to be an issue, and i'm not sure whay this is happening. user jimp had indicated it was due to an overlap in IP's, which i've corrected, but that hasn't changed the behavior. the current routing table result of a connection looks like this:

                IPv4 Route Table

                Active Routes:
                Network Destination        Netmask          Gateway      Interface  Metric
                          0.0.0.0          0.0.0.0    192.168.17.1  192.168.17.122    286
                      10.10.10.1  255.255.255.255      10.10.10.5      10.10.10.6    30
                      10.10.10.4  255.255.255.252        On-link        10.10.10.6    286
                      10.10.10.6  255.255.255.255        On-link        10.10.10.6    286
                      10.10.10.7  255.255.255.255        On-link        10.10.10.6    286
                        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                    192.168.14.0  255.255.255.128      10.10.10.5      10.10.10.6    30
                    192.168.17.0    255.255.255.0        On-link    192.168.17.122    286
                  192.168.17.122  255.255.255.255        On-link    192.168.17.122    286
                  192.168.17.255  255.255.255.255        On-link    192.168.17.122    286
                        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                        224.0.0.0        240.0.0.0        On-link    192.168.17.122    286
                        224.0.0.0        240.0.0.0        On-link        10.10.10.6    286
                  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                  255.255.255.255  255.255.255.255        On-link    192.168.17.122    286
                  255.255.255.255  255.255.255.255        On-link        10.10.10.6    286

                Persistent Routes:
                  Network Address          Netmask  Gateway Address  Metric
                          0.0.0.0          0.0.0.0    192.168.17.1  Default

                if i'm not able to work it out strictly through openvpn, i'm going to move on to openvpn/NAT next, but i'm trying to make sure i don't make my system overly complex.

                if there are any further clarifications, please let me know.

                pfs-openvpn-1.png
                pfs-openvpn-1.png_thumb
                pfs-openvpn-2.png
                pfs-openvpn-2.png_thumb

                1 Reply Last reply Reply Quote 0
                • M
                  marvosa
                  last edited by Aug 24, 2013, 6:13 PM

                  This appears to be a fairly simple setup.  Give us a network map with IP's, post your server1.conf and routing table from PFsense.

                  1 Reply Last reply Reply Quote 0
                  • L
                    lostgeek
                    last edited by Sep 5, 2013, 2:41 PM

                    so sorry for the delay. got called in to work on another project.

                    not entirely sure what you mean by a "network map" did you mean the graphical representation?
                    our network is a single physical wired network which hosts several subnets with their own gateways in a common rack.
                    the gateways share a switch to our isp allowing comm between subnets, and with our isp.
                    the subnets of interest here are:
                    192.168.17.0/24 -> 192.168.17.1
                    192.168.14.0/25 -> 192.168.14.1

                    thanks again for all your help. am really trying to get my company to move more toward opensource, and this would be another great step in that direction

                    [2.0.3-RELEASE][root@vpn.abc.def.com]/root(5): cat /var/etc/openvpn/server1.conf
                    dev ovpns1
                    dev-type tun
                    dev-node /dev/tun1
                    writepid /var/run/openvpn_server1.pid
                    #user nobody
                    #group nobody
                    script-security 3
                    daemon
                    keepalive 10 60
                    ping-timer-rem
                    persist-tun
                    persist-key
                    proto udp
                    cipher AES-128-CBC
                    up /usr/local/sbin/ovpn-linkup
                    down /usr/local/sbin/ovpn-linkdown
                    local 192.168.17.107
                    tls-server
                    server 10.10.10.0 255.255.255.0
                    client-config-dir /var/etc/openvpn-csc
                    username-as-common-name
                    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
                    tls-verify /var/etc/openvpn/server1.tls-verify.php
                    lport 1194
                    management /var/etc/openvpn/server1.sock unix
                    max-clients 16
                    push "route 192.168.14.0 255.255.255.128"
                    push "dhcp-option DOMAIN abc.def.com"
                    push "dhcp-option DNS 192.168.17.8"
                    push "dhcp-option DNS 192.168.17.2"
                    duplicate-cn
                    ca /var/etc/openvpn/server1.ca
                    cert /var/etc/openvpn/server1.cert
                    key /var/etc/openvpn/server1.key
                    dh /etc/dh-parameters.1024
                    tls-auth /var/etc/openvpn/server1.tls-auth 0
                    comp-lzo
                    persist-remote-ip
                    float
                    [2.0.3-RELEASE][root@vpn.abc.def.com]/root(49): netstat -r
                    Routing tables

                    Internet:
                    Destination        Gateway            Flags    Refs      Use  Netif Expire
                    default            cav-firewall      UGS        0  1294165    em1
                    10.10.10.0        10.10.10.2        UGS        0        0 ovpns1
                    10.10.10.1        link#8            UHS        0        0    lo0
                    10.10.10.2        link#8            UH          0        0 ovpns1
                    localhost          link#6            UH          1      76    lo0
                    192.168.14.0/25    link#1            U          0        7    em0
                    vpn                link#1            UHS        0        0    lo0
                    192.168.17.0      link#2            U          0    8381    em1
                    192.168.17.107    link#2            UHS        0        0    lo0

                    Internet6:
                    Destination        Gateway            Flags      Netif Expire
                    ::1                ::1                UH          lo0
                    fe80::%em0        link#1            U          em0
                    fe80::20c:29ff:fea link#1            UHS        lo0
                    fe80::%em1        link#2            U          em1
                    fe80::20c:29ff:fea link#2            UHS        lo0
                    fe80::%lo0        link#6            U          lo0
                    fe80::1%lo0        link#6            UHS        lo0
                    fe80::%ovpns1      link#8            U        ovpns1
                    fe80::20c:29ff:fea link#8            UHS        lo0
                    ff01:1::          fe80::20c:29ff:fea U          em0
                    ff01:2::          fe80::20c:29ff:fea U          em1
                    ff01:6::          ::1                U          lo0
                    ff01:8::          fe80::20c:29ff:fea U        ovpns1
                    ff02::%em0        fe80::20c:29ff:fea U          em0
                    ff02::%em1        fe80::20c:29ff:fea U          em1
                    ff02::%lo0        ::1                U          lo0
                    ff02::%ovpns1      fe80::20c:29ff:fea U        ovpns1

                    1 Reply Last reply Reply Quote 0
                    • M
                      marvosa
                      last edited by Sep 6, 2013, 8:02 PM

                      Yes, a graphical representation of your network (also unmask all the private subnets), e.g. here's a simple one for my home network:

                      Internet -> PFsense (192.168.50.1/24) -> switch -> LAN

                      Once we get your network map maybe we'll have a clearer picture, but just a couple things that look weird:

                      Your config says your WAN IP on PFsense is 192.168.17.107, but then you go on to push DNS on the WAN subnet, which doesn't make sense.  (I'm guessing you want something on the 14.x side, since that's what you are routing thru the tunnel)

                      Post a network map, so we can troubleshoot further.  Also, make sure your firewall rules (openvpn tab) are any/any for now.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        [[user:consent.lead]]
                        [[user:consent.not_received]]