Openvpn Routing Issue



  • Dear All

    I have a problem for a vpn setup site to site

    Network is as follows:

    SITEA

    Internet
    +
    +
    +
    Cisco 1900 Router - WAN PPPOE – LAN Nat - DHCP Enabled 192.168.1.0/24
    +
    +
    +
    Cisco Catalyst switch
    +
    +
    +
    +
    Pfsense Acting as Openvpn Server - Dhcp disabled -LAN Fixed IP 192.168.1.19
    Wan of PFsense is coming from another Internet connections
    Openvpn tunnel is 10.8.8.1

    SITEB

    Pfsense with OpenVPN Client - PPPOE

    DHCP LAN with 192.168.109.100.

    The main aim of VPN: SITEB Users should be able to access few servers on SITE A

    From SITEA i can ping 192.168.109.x whole series via Pfsense console - No issue

    From SITEB i can ping only 192.168.1.19 and One more IP which is an Access Point
    Rest all of the network is unreachable.
    I tried switch the smart ports on cisco to desktop, cisco switch, trunk but same results

    My question is if I can reach SiteA LAN as well as another IP why i am unable to ping the other
    PCs and Servers on the same network. I cannot change the ip range of that LAN

    Following is the packet capture of SITEA Lan:

    09:40:51.573279 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:51.745952 IP 192.168.1.113.52612 > 224.0.0.252.5355: UDP, length 24
    09:40:51.845898 IP 192.168.1.113.52612 > 224.0.0.252.5355: UDP, length 24
    09:40:52.046168 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
    09:40:52.178151 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58656, length 64
    09:40:52.455687 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:52.634048 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:52.795869 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
    09:40:53.141434 IP 192.168.109.52 > 192.168.1.1: ICMP echo request, id 2, seq 2632, length 64
    09:40:53.160256 ARP, Request who-has 192.168.1.2 tell 192.168.1.19, length 28
    09:40:53.178998 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58657, length 64
    09:40:53.180243 ARP, Request who-has 192.168.1.3 tell 192.168.1.19, length 28
    09:40:53.200394 ARP, Request who-has 192.168.1.4 tell 192.168.1.19, length 28
    09:40:53.220262 IP 192.168.109.52 > 192.168.1.5: ICMP echo request, id 2, seq 2636, length 64
    09:40:53.234283 IP 192.168.1.116.137 > 192.168.1.255.137: UDP, length 50
    09:40:53.240142 IP 192.168.109.52 > 192.168.1.6: ICMP echo request, id 2, seq 2637, length 64
    09:40:53.240320 ARP, Request who-has 192.168.1.1 tell 192.168.1.6, length 46
    09:40:53.260132 IP 192.168.109.52 > 192.168.1.7: ICMP echo request, id 2, seq 2638, length 64
    09:40:53.280637 IP 192.168.109.52 > 192.168.1.8: ICMP echo request, id 2, seq 2639, length 64
    09:40:53.280862 ARP, Request who-has 192.168.1.1 tell 192.168.1.8, length 46
    09:40:53.300264 IP 192.168.109.52 > 192.168.1.9: ICMP echo request, id 2, seq 2640, length 64
    09:40:53.304020 ARP, Request who-has 192.168.1.1 tell 192.168.1.9, length 46
    09:40:53.320264 IP 192.168.109.52 > 192.168.1.10: ICMP echo request, id 2, seq 2641, length 64
    09:40:53.516493 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:53.545921 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
    09:40:53.657893 ARP, Request who-has 192.168.1.1 tell 192.168.1.10, length 46
    09:40:53.694853 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:53.983308 IP 192.168.1.116.137 > 192.168.1.255.137: UDP, length 50
    09:40:54.180158 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58658, length 64
    09:40:54.577243 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:54.733326 IP 192.168.1.116.137 > 192.168.1.255.137: UDP, length 50
    09:40:54.755635 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:54.940161 IP 192.168.109.52 > 192.168.1.1: ICMP echo request, id 2, seq 2642, length 64
    09:40:54.940505 ARP, Request who-has 192.168.1.2 tell 192.168.1.19, length 28
    09:40:54.941418 ARP, Request who-has 192.168.1.4 tell 192.168.1.19, length 28
    09:40:54.941630 ARP, Request who-has 192.168.1.3 tell 192.168.1.19, length 28
    09:40:54.942015 IP 192.168.109.52 > 192.168.1.8: ICMP echo request, id 2, seq 2646, length 64
    09:40:54.942253 IP 192.168.109.52 > 192.168.1.5: ICMP echo request, id 2, seq 2648, length 64
    09:40:54.942454 IP 192.168.109.52 > 192.168.1.10: ICMP echo request, id 2, seq 2647, length 64
    09:40:54.942532 IP 192.168.109.52 > 192.168.1.6: ICMP echo request, id 2, seq 2649, length 64
    09:40:54.942651 IP 192.168.109.52 > 192.168.1.7: ICMP echo request, id 2, seq 2650, length 64
    09:40:54.942731 IP 192.168.109.52 > 192.168.1.9: ICMP echo request, id 2, seq 2651, length 64
    09:40:54.997343 IP 192.168.1.156.138 > 192.168.1.255.138: UDP, length 225
    09:40:55.181037 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58659, length 64
    09:40:55.638053 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:55.816397 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:55.879489 ARP, Request who-has 192.168.1.1 tell 192.168.1.119, length 46
    09:40:55.915142 IP 192.168.1.113.63437 > 255.255.255.255.19402: UDP, length 122
    09:40:56.182132 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58660, length 64
    09:40:56.257065 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
    09:40:56.270454 IP 192.168.1.113.52894 > 224.0.0.252.5355: UDP, length 29
    09:40:56.271369 ARP, Request who-has 192.168.1.1 tell 192.168.1.113, length 46
    09:40:56.340713 ARP, Request who-has 192.168.1.1 tell 192.168.1.113, length 46
    09:40:56.353693 ARP, Request who-has 192.168.1.1 tell 192.168.1.113, length 46
    09:40:56.370015 IP 192.168.1.113.52894 > 224.0.0.252.5355: UDP, length 29
    09:40:56.570684 IP 192.168.1.113.50027 > 224.0.0.252.5355: UDP, length 29
    09:40:56.670095 IP 192.168.1.113.50027 > 224.0.0.252.5355: UDP, length 29
    09:40:56.698833 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:56.780924 ARP, Request who-has 192.168.1.1 tell 192.168.1.156, length 46
    09:40:56.789275 IP 192.168.1.156.138 > 192.168.1.255.138: UDP, length 225
    09:40:56.877200 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:56.940162 IP 192.168.109.52 > 192.168.1.1: ICMP echo request, id 2, seq 2652, length 64
    09:40:56.940457 ARP, Request who-has 192.168.1.2 tell 192.168.1.19, length 28
    09:40:56.941156 ARP, Request who-has 192.168.1.4 tell 192.168.1.19, length 28
    09:40:56.941554 IP 192.168.109.52 > 192.168.1.10: ICMP echo request, id 2, seq 2655, length 64
    09:40:56.941902 IP 192.168.109.52 > 192.168.1.6: ICMP echo request, id 2, seq 2656, length 64
    09:40:56.942104 IP 192.168.109.52 > 192.168.1.5: ICMP echo request, id 2, seq 2657, length 64
    09:40:56.942400 ARP, Request who-has 192.168.1.3 tell 192.168.1.19, length 28
    09:40:56.942598 IP 192.168.109.52 > 192.168.1.8: ICMP echo request, id 2, seq 2658, length 64
    09:40:56.942680 IP 192.168.109.52 > 192.168.1.7: ICMP echo request, id 2, seq 2660, length 64
    09:40:56.942693 IP 192.168.109.52 > 192.168.1.9: ICMP echo request, id 2, seq 2661, length 64
    09:40:57.007051 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
    09:40:57.182909 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58661, length 64
    09:40:57.757090 IP 192.168.1.113.137 > 192.168.1.255.137: UDP, length 50
    09:40:57.759584 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:57.937980 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:58.183978 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58662, length 64
    09:40:58.820399 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:58.941199 IP 192.168.109.52 > 192.168.1.11: ICMP echo request, id 2, seq 2662, length 64
    09:40:58.941324 ARP, Request who-has 192.168.1.1 tell 192.168.1.11, length 46
    09:40:58.960078 ARP, Request who-has 192.168.1.12 tell 192.168.1.19, length 28
    09:40:58.980185 ARP, Request who-has 192.168.1.13 tell 192.168.1.19, length 28
    09:40:58.998780 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:40:59.000548 ARP, Request who-has 192.168.1.14 tell 192.168.1.19, length 28
    09:40:59.020067 ARP, Request who-has 192.168.1.15 tell 192.168.1.19, length 28
    09:40:59.040061 ARP, Request who-has 192.168.1.16 tell 192.168.1.19, length 28
    09:40:59.060063 ARP, Request who-has 192.168.1.17 tell 192.168.1.19, length 28
    09:40:59.080059 IP 192.168.109.52 > 192.168.1.18: ICMP echo request, id 2, seq 2669, length 64
    09:40:59.120059 IP 192.168.109.52 > 192.168.1.20: ICMP echo request, id 2, seq 2673, length 64
    09:40:59.184951 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58663, length 64
    09:40:59.201736 IP 192.168.1.113.68 > 255.255.255.255.67: UDP, length 300
    09:40:59.881184 6c:ae:8b:50:07:4c > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:41:00.059519 6c:ae:8b:50:01:dc > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x886d), length 64:
    09:41:00.185979 IP 10.8.8.2 > 192.168.1.5: ICMP echo request, id 48949, seq 58664, length 64
    09:41:00.939475 IP 192.168.109.52 > 192.168.1.11: ICMP echo request, id 2, seq 2674, length 64
    09:41:00.940450 ARP, Request who-has 192.168.1.15 tell 192.168.1.19, length 28
    09:41:00.940847 ARP, Request who-has 192.168.1.13 tell 192.168.1.19, length 28
    09:41:00.941060 IP 192.168.109.52 > 192.168.1.20: ICMP echo request, id 2, seq 2677, length 64
    09:41:00.941140 ARP, Request who-has 192.168.1.14 tell 192.168.1.19, length 28
    09:41:00.941251 ARP, Request who-has 192.168.1.12 tell 192.168.1.19, length 28

    Please advise what to do

    UPDATE: Server Site : openvpn[17920]: ERROR: FreeBSD route add command failed: external program exited with error status: 1



  • From SITEA i can ping 192.168.109.x whole series via Pfsense console - No issue

    From SITEB i can ping only 192.168.1.19 and One more IP which is an Access Point
    Rest all of the network is unreachable.

    The Cisco at site A will have to know the route to site B, via the pfSense site A LAN IP. Devices in site A will have the Cisco as default gateway. When a device in site A sends a packet to site B, it goes first to Cisco, the Cisco has to direct it to pfSense site A LAN IP, then pfSense sends it over the tunnel.
    Packets from B to A work, because pfSense at site A can deliver the traffic direct to a site A device - no Cisco in the path.
    After adding a route on the Cisco, you will still have asymmetric routes. The Cisco will only see traffic in 1 direction. If the Cisco is being a stateful firewall, then it might drop those packets. You will see soon enough.
    In this configuration, pfSense site A should be OK - it will see packets in both directions so it should be able to maintain its firewall state table.



  • Dear Phil

    thanks for the solution

    I will check again and will revert  back soon



  • Dear phil

    Please advise if this is correct

    SITEA
    Cisco Router is 192.168.1.1
    Openvpn Server is 192.168.1.19

    I should add route to cisco: ip route 192.168.109.0 255.255.255.0 192.168.1.19

    thanks



  • Dear phil

    Why I am able to ping only one device that is a AP on SiteA from SiteB.



  • @kazimnaim:

    Dear phil

    Please advise if this is correct

    SITEA
    Cisco Router is 192.168.1.1
    Openvpn Server is 192.168.1.19

    I should add route to cisco: ip route 192.168.109.0 255.255.255.0 192.168.1.19

    thanks

    Sorry, been offline from the forum a few days - yes, the route information is correct. You know the exact correct Cisco format.



  • @kazimnaim:

    Dear phil

    Why I am able to ping only one device that is a AP on SiteA from SiteB.

    If the AP has its default route set to SiteA pfSense LAN IP 192.168.1.19 then the reply would work by default.
    After adding the route to the Cisco (previous post), then you should be able to ping lots of thinngs in SiteA from SiteB.
    Post what you have done so far, what pings work and what pings do not work.



  • Thanks phill

    Adding the route as per your suggestion worked perfectly

    Thanks again


Log in to reply