Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense / open vpn netmask issue?

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lostgeek
      last edited by

      so i know this has been covered, and i've read some of it, but i can't quite wrap my head around it.

      what i'm working with is several subnets on one wire network. we have a 'main' network designated AAA.AA.AAA.0/24, and a specific subnet of interest designated BBB.BB.BBB.0/25

      my pfsense ip config is

      WAN AAA.AA.AAA.107/24
      LAN BBB.BB.BBB.107/24

      and for openvpn is

      tunnel BBB.BB.BBB.64/26
      local BBB.BB.BBB.0/25

      my windows 7 client connects successfully, and gets two custom routes that i need for specific machines (XXX.XX.XX.XXX/Y) to be accessed over the B subnet. only an addr in the B subnet can reach those hosts. so i sued my pfsense LAN as that subnet, and open vpn to assign an addr in that range. all seems to work well. sadly i get a subnet mask of /30 (.252). here is the routing table as a result of what i've done, and except for that stupid netmask, the whole thing looks right!

      IPv4 Route Table

      Active Routes:
      Network Destination        Netmask          Gateway      Interface  Metric
                0.0.0.0          0.0.0.0    AAA.AA.AAA.1  AAA.AA.AAA.122    286
              127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
              127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
        127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          XXX.XX.XX.XXX  255.255.255.255    BBB.BB.BBB.1    BBB.BB.BBB.70    31
          XXX.XX.XX.XXY  255.255.255.255    BBB.BB.BBB.1    BBB.BB.BBB.70    31
          BBB.BB.BBB.0  255.255.255.128    BBB.BB.BBB.69    BBB.BB.BBB.70    30
          BBB.BB.BBB.65  255.255.255.255    BBB.BB.BBB.69    BBB.BB.BBB.70    30
          BBB.BB.BBB.68  255.255.255.252        On-link    BBB.BB.BBB.70    286
          BBB.BB.BBB.70  255.255.255.255        On-link    BBB.BB.BBB.70    286
          BBB.BB.BBB.71  255.255.255.255        On-link    BBB.BB.BBB.70    286
          AAA.AA.AAA.0    255.255.255.0        On-link    AAA.AA.AAA.122    286
        AAA.AA.AAA.122  255.255.255.255        On-link    AAA.AA.AAA.122    286
        AAA.AA.AAA.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
              224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
              224.0.0.0        240.0.0.0        On-link    AAA.AA.AAA.122    286
              224.0.0.0        240.0.0.0        On-link    BBB.BB.BBB.70    286
        255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        255.255.255.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
        255.255.255.255  255.255.255.255        On-link    BBB.BB.BBB.70    286

      Persistent Routes:
        Network Address          Netmask  Gateway Address  Metric
                0.0.0.0          0.0.0.0    AAA.AA.AAA.1  Default

      i've seen messages that involve that, but the only solution i found is changing the 'dev tap' config to 'dev tun' which my client already uses, or reference very old versions (i got the latest for VMware a few days ago). i'm sure i'm missing something, but for the life of me can't figure it out.

      thanks all for your patience and help.

      EDIT: i should add that i get an error message in the client that the BBB.BB.BBB.1 gateway can't be reached from any interface, which i can only guess if due to that /30 netmask.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Which subnet mask are you thinking is wrong?

        It looks like how I'd expect OpenVPN's subnet mask for that setup to look, and the mask is correct for BBB.BBB.BBB.0/25 (255.255.255.128)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • L
          lostgeek
          last edited by

          maybe i'm more thoroughly mis understanding this than i thought. the line i thought was the problem is:

          BBB.BB.BBB.68  255.255.255.252        On-link    BBB.BB.BBB.70    286

          and i thought it was the problem because it conflicts? with the line:

          BBB.BB.BBB.0  255.255.255.128    BBB.BB.BBB.69    BBB.BB.BBB.70    30

          but maybe not. long story short is that i can't pass any traffic beyond the pfsense box on the B subnet. it just goes nowhere. i've set all my firewall rules to wide open, in the hope of correcting this to no avail

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Ah, well yes those do overlap. The letters threw me off there. It's not the subnet mask's fault though.

            x.x.x.0/25 goes from x.x.x.0-x.x.x.127, your VPN can't be inside of that range anywhere.

            If you made your VPN subnet x.x.x.128/26 that would work. It has to be separate/distinct.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • L
              lostgeek
              last edited by

              ok, so in a fit of frustration, i trashed the vm runing pfsense, and reinstalled. reconfigured, and as before everything went quite smoothly. many thanks for producing a really great distro! this time i went for 10 as my tunneling network, with my wan and lan assigned as before to eliminate any possibility of overlap. as before i've added pass all rules to my firewall. here is what my routing table now looks like:

              ===========================================================================
              Interface List
              20…xx xx xx xx xx xx ......TAP-Windows Adapter V9
              11...xx xx xx xx xx xx ......Broadcom NetLink (TM) Gigabit Ethernet
                1...........................Software Loopback Interface 1
              12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
              13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
              14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

              IPv4 Route Table

              Active Routes:
              Network Destination        Netmask          Gateway      Interface  Metric
                        0.0.0.0          0.0.0.0    AAA.AA.AAA.1  AAA.AA.AAA.122    286
                    10.10.10.1  255.255.255.255      10.10.10.5      10.10.10.6    30
                    10.10.10.4  255.255.255.252        On-link        10.10.10.6    286
                    10.10.10.6  255.255.255.255        On-link        10.10.10.6    286
                    10.10.10.7  255.255.255.255        On-link        10.10.10.6    286
                      127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                      127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                  BBB.BB.BBB.0  255.255.255.128      10.10.10.5      10.10.10.6    30
                  AAA.AA.AAA.0    255.255.255.0        On-link    AAA.AA.AAA.122    286
                AAA.AA.AAA.122  255.255.255.255        On-link    AAA.AA.AAA.122    286
                AAA.AA.AAA.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
                      224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                      224.0.0.0        240.0.0.0        On-link    AAA.AA.AAA.122    286
                      224.0.0.0        240.0.0.0        On-link        10.10.10.6    286
                255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                255.255.255.255  255.255.255.255        On-link    AAA.AA.AAA.122    286
                255.255.255.255  255.255.255.255        On-link        10.10.10.6    286

              Persistent Routes:
                Network Address          Netmask  Gateway Address  Metric
                        0.0.0.0          0.0.0.0    AAA.AA.AAA.1  Default

              haven't added any extras yet, just an out-of-the-box type of config. the important destination network, and the reason for this vpn, is the BBB.BB.BBB.0 route in the table. i need my clients to be able to communicate from within that subnet. once up and operational, i still can't pass traffic to that net. nothing shows errors, so it seems that the function as it is now is how it is intended. this leaves me with a few fundamental questions:

              is this the intended operation of openvpn? if so what purpose does it serve other than to create a secure connection to the pfsense server? i must have missed something here.

              is there any way to create a setup that will allow my win7 clients to access this subnet, from an addr within this subnet, without having reconfigure thier current hw adapter?

              thanks again for all of your help in figuring this out!

              d

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                So what does not work? Don't get me wrong, but these censored outputs are annoying like hell. Which "that net" does not work? Where are some configuration screenshots?  ::)

                1 Reply Last reply Reply Quote 0
                • L
                  lostgeek
                  last edited by

                  ok, i thought my last post was pretty clear, but maybe not. my goal with pfsense is this:

                  i have desktop computers on a wire network with (since the letters are confusing, sorry, company says i can't post our ip's) a subnet of 192.168.17.0/24 (previously subnet A)
                  i have a second subnet on the same wire network of 192.168.14.0/25 (previously subnet B) this subnet is linked to our customer

                  target is to allow a computer in subnet A to send and receive traffic from an address in subnet B after requiring a user to enter a username and password
                  the reason for this is that our customer has servers in subnet B which are secure, and due to their policy the security cannot be changed in any meaningful way

                  the issue that i am having right now is that i can connect to the openvpn server on my pfsense vm, auth properly, and obtain an ip address and routing, but i cannot pass traffic, as the tunneling network is in the 10.0.0.0/8 subnet which is unroutable. with pptp, i could assign an addr from a pool that fell within subnet b, and pass traffic, but making necessary routing changed was prohibitively difficult. with openvpn, the routing changes are much simplified, but address assignment seems to be an issue. my suspicion now is that the /30 subnet that open vpn has given me seems to be an issue, and i'm not sure whay this is happening. user jimp had indicated it was due to an overlap in IP's, which i've corrected, but that hasn't changed the behavior. the current routing table result of a connection looks like this:

                  IPv4 Route Table

                  Active Routes:
                  Network Destination        Netmask          Gateway      Interface  Metric
                            0.0.0.0          0.0.0.0    192.168.17.1  192.168.17.122    286
                        10.10.10.1  255.255.255.255      10.10.10.5      10.10.10.6    30
                        10.10.10.4  255.255.255.252        On-link        10.10.10.6    286
                        10.10.10.6  255.255.255.255        On-link        10.10.10.6    286
                        10.10.10.7  255.255.255.255        On-link        10.10.10.6    286
                          127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                          127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                    127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                      192.168.14.0  255.255.255.128      10.10.10.5      10.10.10.6    30
                      192.168.17.0    255.255.255.0        On-link    192.168.17.122    286
                    192.168.17.122  255.255.255.255        On-link    192.168.17.122    286
                    192.168.17.255  255.255.255.255        On-link    192.168.17.122    286
                          224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                          224.0.0.0        240.0.0.0        On-link    192.168.17.122    286
                          224.0.0.0        240.0.0.0        On-link        10.10.10.6    286
                    255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                    255.255.255.255  255.255.255.255        On-link    192.168.17.122    286
                    255.255.255.255  255.255.255.255        On-link        10.10.10.6    286

                  Persistent Routes:
                    Network Address          Netmask  Gateway Address  Metric
                            0.0.0.0          0.0.0.0    192.168.17.1  Default

                  if i'm not able to work it out strictly through openvpn, i'm going to move on to openvpn/NAT next, but i'm trying to make sure i don't make my system overly complex.

                  if there are any further clarifications, please let me know.

                  pfs-openvpn-1.png
                  pfs-openvpn-1.png_thumb
                  pfs-openvpn-2.png
                  pfs-openvpn-2.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • M
                    marvosa
                    last edited by

                    This appears to be a fairly simple setup.  Give us a network map with IP's, post your server1.conf and routing table from PFsense.

                    1 Reply Last reply Reply Quote 0
                    • L
                      lostgeek
                      last edited by

                      so sorry for the delay. got called in to work on another project.

                      not entirely sure what you mean by a "network map" did you mean the graphical representation?
                      our network is a single physical wired network which hosts several subnets with their own gateways in a common rack.
                      the gateways share a switch to our isp allowing comm between subnets, and with our isp.
                      the subnets of interest here are:
                      192.168.17.0/24 -> 192.168.17.1
                      192.168.14.0/25 -> 192.168.14.1

                      thanks again for all your help. am really trying to get my company to move more toward opensource, and this would be another great step in that direction

                      [2.0.3-RELEASE][root@vpn.abc.def.com]/root(5): cat /var/etc/openvpn/server1.conf
                      dev ovpns1
                      dev-type tun
                      dev-node /dev/tun1
                      writepid /var/run/openvpn_server1.pid
                      #user nobody
                      #group nobody
                      script-security 3
                      daemon
                      keepalive 10 60
                      ping-timer-rem
                      persist-tun
                      persist-key
                      proto udp
                      cipher AES-128-CBC
                      up /usr/local/sbin/ovpn-linkup
                      down /usr/local/sbin/ovpn-linkdown
                      local 192.168.17.107
                      tls-server
                      server 10.10.10.0 255.255.255.0
                      client-config-dir /var/etc/openvpn-csc
                      username-as-common-name
                      auth-user-pass-verify /var/etc/openvpn/server1.php via-env
                      tls-verify /var/etc/openvpn/server1.tls-verify.php
                      lport 1194
                      management /var/etc/openvpn/server1.sock unix
                      max-clients 16
                      push "route 192.168.14.0 255.255.255.128"
                      push "dhcp-option DOMAIN abc.def.com"
                      push "dhcp-option DNS 192.168.17.8"
                      push "dhcp-option DNS 192.168.17.2"
                      duplicate-cn
                      ca /var/etc/openvpn/server1.ca
                      cert /var/etc/openvpn/server1.cert
                      key /var/etc/openvpn/server1.key
                      dh /etc/dh-parameters.1024
                      tls-auth /var/etc/openvpn/server1.tls-auth 0
                      comp-lzo
                      persist-remote-ip
                      float
                      [2.0.3-RELEASE][root@vpn.abc.def.com]/root(49): netstat -r
                      Routing tables

                      Internet:
                      Destination        Gateway            Flags    Refs      Use  Netif Expire
                      default            cav-firewall      UGS        0  1294165    em1
                      10.10.10.0        10.10.10.2        UGS        0        0 ovpns1
                      10.10.10.1        link#8            UHS        0        0    lo0
                      10.10.10.2        link#8            UH          0        0 ovpns1
                      localhost          link#6            UH          1      76    lo0
                      192.168.14.0/25    link#1            U          0        7    em0
                      vpn                link#1            UHS        0        0    lo0
                      192.168.17.0      link#2            U          0    8381    em1
                      192.168.17.107    link#2            UHS        0        0    lo0

                      Internet6:
                      Destination        Gateway            Flags      Netif Expire
                      ::1                ::1                UH          lo0
                      fe80::%em0        link#1            U          em0
                      fe80::20c:29ff:fea link#1            UHS        lo0
                      fe80::%em1        link#2            U          em1
                      fe80::20c:29ff:fea link#2            UHS        lo0
                      fe80::%lo0        link#6            U          lo0
                      fe80::1%lo0        link#6            UHS        lo0
                      fe80::%ovpns1      link#8            U        ovpns1
                      fe80::20c:29ff:fea link#8            UHS        lo0
                      ff01:1::          fe80::20c:29ff:fea U          em0
                      ff01:2::          fe80::20c:29ff:fea U          em1
                      ff01:6::          ::1                U          lo0
                      ff01:8::          fe80::20c:29ff:fea U        ovpns1
                      ff02::%em0        fe80::20c:29ff:fea U          em0
                      ff02::%em1        fe80::20c:29ff:fea U          em1
                      ff02::%lo0        ::1                U          lo0
                      ff02::%ovpns1      fe80::20c:29ff:fea U        ovpns1

                      1 Reply Last reply Reply Quote 0
                      • M
                        marvosa
                        last edited by

                        Yes, a graphical representation of your network (also unmask all the private subnets), e.g. here's a simple one for my home network:

                        Internet -> PFsense (192.168.50.1/24) -> switch -> LAN

                        Once we get your network map maybe we'll have a clearer picture, but just a couple things that look weird:

                        Your config says your WAN IP on PFsense is 192.168.17.107, but then you go on to push DNS on the WAN subnet, which doesn't make sense.  (I'm guessing you want something on the 14.x side, since that's what you are routing thru the tunnel)

                        Post a network map, so we can troubleshoot further.  Also, make sure your firewall rules (openvpn tab) are any/any for now.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.