Networks routed from a pfSense box not accesible from an OpenVPN site (P2P PKI)



  • Hello all

    First, sorry by my poor english.

    I'm having a problem i'm unable to resolve and hope someone can help me.

    I have a place with a pfSense box that routes other 2 networks, one with other pfSense and other(s) with a Cisco Router suplied by the ISP.

    I have a remote site connected with OpenVPN Peer to Peer (SSL/TLS) working "well". I mean well because i can access the LAN's Networks from a site o the other one (and viceversa), but from the remote site (pfSense3) LAN I can't access the Networks provided by the Cisco or the 172.16.10.0/26 provided by pfSense 2 (see the attached image).

    That Networks are accesible from the pfSense LAN Network. They are also accesible from OpenVPN Roadwarrior users. Even are accesible from pfSense3 (from the shell inside in), but not from it's LAN Network.

    I've spent several days trying everything i know, The routes are pushed from the pfSense1 to pfSense3. I've reviewed again and again the rules, everything passes.

    I suppose i'm missing something in this, but don't know what.

    This is the routing table in the pfSense3 box:

    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            192.168.153.1      UGS         0     5922 pppoe0
    google-public-dns- 192.168.153.1      UGHS        0    30451 pppoe0
    10.0.10.1/32       10.0.10.5          UGS         0        0 ovpnc1
    10.0.10.5          link#8             UH          0        0 ovpnc1
    10.0.10.6          link#8             UHS         0        0    lo0
    10.2.6.0           10.0.10.5          UGS         0        0 ovpnc1
    10.2.31.0          10.0.10.5          UGS         0        0 ovpnc1
    10.31.10.0         10.0.10.5          UGS         0        0 ovpnc1
    10.31.112.0        10.0.10.5          UGS         0        0 ovpnc1
    10.31.253.0        10.0.10.5          UGS         0        0 ovpnc1
    10.32.253.0        10.0.10.5          UGS         0        0 ovpnc1
    10.252.130.0       10.0.10.5          UGS         0        0 ovpnc1
    10.252.144.0       10.0.10.5          UGS         0        0 ovpnc1
    10.252.252.0       10.0.10.5          UGS         0        0 ovpnc1
    10.253.1.192/32    10.0.10.5          UGS         0        0 ovpnc1
    10.253.252.0       10.0.10.5          UGS         0        0 ovpnc1
    PUBLIC-DSL-IP-94.d link#9             UHS         0        0    lo0
    localhost          link#4             UH          0       97    lo0
    172.16.0.0/21      10.0.10.5          UGS         0        7 ovpnc1
    172.16.10.0/26     10.0.10.5          UGS         0        0 ovpnc1
    172.16.20.0/26     link#1             U           0       48    vr0
    pfsense3           link#1             UHS         0        0    lo0
    192.168.153.1      link#9             UH          0        0 pppoe0
    

    The 10.2., 10.31, 10.32 10.252 and 10.253 are the Networks provided by the Cisco and 172.16.10.10/26 the one provided by pfSense2.

    Do you know what my problem is? I'm not posting configurations to keep this short. If you need something, please ask me.

    Thanks

    Best

    ![OpenVPN Routing.png](/public/imported_attachments/1/OpenVPN Routing.png)
    ![OpenVPN Routing.png_thumb](/public/imported_attachments/1/OpenVPN Routing.png_thumb)



  • Need to clarify some info:

    • Your diagram shows "OpenVPN Tunnel Network: 10.0.10.0/24" and "Subnet to pfSense3: 10.0.10.8/30".  Please clarify what you meant because those networks overlap.

    • When you say "I have a remote site connected with OpenVPN Peer to Peer (SSL/TLS) working" you never specified what was connected. I can only assume from your diagram that you meant PFsense 1 and PFsense 3 are connected and that each side can communicate with the other side's LAN, but please verify my assumption is correct.

    • On PFsense 2, is there a typo or is 172.16.10.1/26 really a WAN interface? Why isn't it a LAN interface?  I would imagine 172.16.20.0/26 cannot communicate with 172.16.10.0/26 because there is no return route back to 172.16.20.0/26 on PFsense 2.  Although, I'm not even sure that's possible because it's a WAN interface and being NAT'd… someone else chime in if they know for sure

    • you need a return route to 172.16.20.0/26 on the cisco.

    • Post your server1.conf from PFsense 1 and client1.conf from PFsense 3.



  • @marvosa:

    Need to clarify some info:

    • Your diagram shows "OpenVPN Tunnel Network: 10.0.10.0/24" and "Subnet to pfSense3: 10.0.10.8/30".  Please clarify what you meant because those networks overlap.
    • When you say "I have a remote site connected with OpenVPN Peer to Peer (SSL/TLS) working" you never specified what was connected. I can only assume from your diagram that you meant PFsense 1 and PFsense 3 are connected and that each side can communicate with the other side's LAN, but please verify my assumption is correct.
    • On PFsense 2, is there a typo or is 172.16.10.1/26 really a WAN interface? Why isn't it a LAN interface?  I would imagine 172.16.20.0/26 cannot communicate with 172.16.10.0/26 because there is no return route back to 172.16.20.0/26 on PFsense 2.  Although, I'm not even sure that's possible because it's a WAN interface and being NAT'd… someone else chime in if they know for sure
    • you need a return route to 172.16.20.0/26 on the cisco.

    Remember

    • Post your server1.conf from PFsense 1 and client1.conf from PFsense 3.

    pfSense1 Site2Site (PKI)

    dev ovpns2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local TRIMMED-PUBLIC-IP
    tls-server
    server 10.0.10.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.0.10.1 10.0.10.2
    tls-verify /var/etc/openvpn/server2.tls-verify.php
    lport 1195
    management /var/etc/openvpn/server2.sock unix
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    
    route 172.16.20.0 255.255.255.192
    
    route 172.16.20.64 255.255.255.192
    
    route 192.168.0.0 255.255.255.0
    
    push "route 172.16.0.0 255.255.248.0"
    
    push "route 172.16.10.0 255.255.255.192"
    
    push "route 10.2.6.0 255.255.255.0"
    
    push "route 10.2.31.0 255.255.255.0"
    
    push "route 10.31.10.0 255.255.255.0"
    
    push "route 10.31.112.0 255.255.255.0"
    
    push "route 10.31.253.0 255.255.255.0"
    
    push "route 10.32.253.0 255.255.255.0"
    
    push "route 10.252.130.0 255.255.255.0"
    
    push "route 10.252.144.0 255.255.255.0"
    
    push "route 10.252.252.0 255.255.255.0"
    
    push "route 10.253.1.192 255.255.255.255"
    
    push "route 10.253.252.0 255.255.255.0"
    
    

    pfSense3 (Client)

    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local TRIMMED-PUBLIC-IP
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote TRIMMED-REMOTE-IP 1195
    ifconfig 10.0.10.2 10.0.10.1
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    

    Also here is the CSO (-csc) file for that client

    ifconfig-push 10.0.10.10 10.0.10.9
    iroute 172.16.20.0 255.255.255.192
    

    USING Site2Site

    12:00:41.556303 IP 192.168.0.47.38007 > 10.31.10.89.33438: UDP, length 24
    12:00:41.628250 IP 192.168.0.47.38007 > 10.31.10.89.33439: UDP, length 24
    12:00:41.699052 IP 192.168.0.47.38007 > 10.31.10.89.33440: UDP, length 24
    12:00:41.770609 IP 192.168.0.47.38007 > 10.31.10.89.33441: UDP, length 24
    
    12:01:55.579807 IP 192.168.0.47.38022 > 10.31.10.89.33441: UDP, length 24
    12:02:00.580990 IP 192.168.0.47.38022 > 10.31.10.89.33442: UDP, length 24
    12:02:05.581638 IP 192.168.0.47.38022 > 10.31.10.89.33443: UDP, length 24
    12:02:10.582314 IP 192.168.0.47.38022 > 10.31.10.89.33444: UDP, length 24
    

    USING RoadWarrior

    11:35:41.019829 IP 10.0.8.202.37905 > 10.31.10.89.33435: UDP, length 24
    11:35:41.182282 IP 10.0.8.202.37905 > 10.31.10.89.33436: UDP, length 24
    11:35:41.253157 IP 10.0.8.202.37905 > 10.31.10.89.33437: UDP, length 24
    11:35:41.324107 IP 10.0.8.202.37905 > 10.31.10.89.33438: UDP, length 24
    
    11:37:07.139149 IP 10.31.253.2.46027 > 10.31.10.89.33438: UDP, length 24
    11:37:07.281083 IP 10.31.253.2.15414 > 10.31.10.89.33439: UDP, length 24
    11:37:07.351882 IP 10.31.253.2.3381 > 10.31.10.89.33440: UDP, length 24
    11:37:07.422730 IP 10.31.253.2.23474 > 10.31.10.89.33441: UDP, length 24