Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense VPN router behind a Tomato router

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      whitewidow
      last edited by

      Quick summery of what im trying to accomplish
      Im testing a Netgate pfSense router at home and wish to connect it behind my Shibby Tomato router as not to disrupt my normal home network set up. The VPN will be connected to my corporate location. I have configured the tunnel and have it working if the pfSense router is the gateway. The issue I have now is when I put the pfSense router behind my home tomato router, the VPN on both ends shows connected but I cannot ping the corporate network from the workstation at home I have connected to the pfSense router likewise from corporate to the pfSense subnet.

      Overview of network
      Motorola DOCSIS 3.0 Modem (192.168.100.1)

      Router 1 "Gateway" (192.168.0.1)
      Shibby Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB Big-VPN
      Static Route to pfSense router
      Destination Gateway / Next Hop Subnet Mask Metric Interface
      10.0.9.0 192.168.0.4 255.255.255.0 0 br0 (LAN)
      I have also put 192.168.0.4 in a DMZ in hope to open op all ports to the pfSense router
      NAT is set to ALL > MASQUERADE
      DHCP for the 192.168.0.0 network and DNS is handled by my Windows server for the devices in my home.

      Router 2 "pfSense" (LAN 10.0.9.254)
      WAN IP 192.168.0.4
      DHCP scope 10.0.9.10 - 10.0.9.245
      1 Workstation connected to the LAN (10.0.9.11)
      VPN to corporate shows a connection in pfSense on both ends but can not assess or ping either way
      Corporate is fine as it the other locations currently have a working VPN and I connect fine when the pfSense router is the gateway.
      Firewall has been opened to allow ANY connection on the WAN

      I can ping from the 192.168.0.0 network to the 10.0.9.0 network
      I can ping from the 10.0.9.0 network to the 192.168.0.0 network
      I CAN NOT ping from the 10.0.9.0 network to the 10.0.1.0 network (corporate)

      netstat -rn from the pfSense router
      Routing tables

      Internet:
      Destination Gateway Flags Refs Use Netif Expire
      default 192.168.0.1 UGS 0 347005 re1
      10.0.9.0/24 link#3 U 0 800027 re2
      10.0.9.254 link#3 UHS 0 0 lo0
      127.0.0.1 link#14 UH 0 36 lo0
      173.XXX.64.XXX 192.168.0.1 UGHS 0 5273 re1
      192.168.0.0/24 link#2 U 0 19842 re1
      192.168.0.4 link#2 UHS 0 0 lo0

      Internet6:
      Destination Gateway Flags Netif Expire
      ::1 ::1 UH lo0
      fe80::%re0/64 link#1 U re0
      fe80::20d:b9ff:fe33:8758%re0 link#1 UHS lo0
      fe80::%re1/64 link#2 U re1
      fe80::9644:52ff:fea6:e6f3%re1 link#2 UHS lo0
      fe80::%re2/64 link#3 U re2
      fe80::20d:b9ff:fe33:875a%re2 link#3 UHS lo0
      fe80::%lo0/64 link#14 U lo0
      fe80::1%lo0 link#14 UHS lo0
      ff01::%re0/32 fe80::20d:b9ff:fe33:8758%re0 U re0
      ff01::%re1/32 fe80::9644:52ff:fea6:e6f3%re1 U re1
      ff01::%re2/32 fe80::20d:b9ff:fe33:875a%re2 U re2
      ff01::%lo0/32 ::1 U lo0
      ff02::%re0/32 fe80::20d:b9ff:fe33:8758%re0 U re0
      ff02::%re1/32 fe80::9644:52ff:fea6:e6f3%re1 U re1
      ff02::%re2/32 fe80::20d:b9ff:fe33:875a%re2 U re2
      ff02::%lo0/32 ::1 U lo0

      netstat -rn from the Tomato router
      Kernel IP routing table
      Destination Gateway Genmask Flags MSS Window irtt Iface
      67.xxx.252.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 vlan2
      10.0.9.0 192.168.0.4 255.255.255.0 UG 0 0 0 br0
      192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
      67.xxx.252.xxx 0.0.0.0 255.255.252.0 U 0 0 0 vlan2
      127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
      0.0.0.0 67.xxx.252.xxx 0.0.0.0 UG 0 0 0 vlan2

      VPN is IPsec and as I said the testing pfSense router and the Corporate pfsense router show the VPN tunnel is connnected

      So now im suck. I thought the static route would allow packets through to the pfSense router but no luck. Im thinking its a NAT issue but im not sure. Any help would be appreciated. Thanks.

      1 Reply Last reply Reply Quote 0
      • C
        CyberTiVo
        last edited by

        I am having a similar problem, however my IPSec tunnel shows up on the "remote/host" pfSense box, but not on the "local/client".  On the client, I am behind a Cisco DPC3825 so I can't take it out of the loop and make the pfSense box the 1st smart device on the network.

        Even when the remote shows the tunnel up, I do not see a route to my local network in the routing table.  The local network does not have a route to the host.  I know the local network tries to use the tunnel because when I do a traceroute to the remote network it hits the firewall and then gets * * *.  When I disable the tunnel the traceroute goes out the front door.

        In the client log, I see bi-directional communication with the host on ports 500 and 4500.  There are no errors, but no traffic.

        1 Reply Last reply Reply Quote 0
        • C
          CyberTiVo
          last edited by

          It looks like it is working now; had to turn off NAT on the IPSec interface because of the double NATting.  Failed to mention that client is running 2.2-Alpha an host is 2.1.4.  2.2 has a V1 or V2 option for IKE.  I was using V2 it needs to be V1.  Also, the IPSec widget on 2.2 does not report the tunnel up, when it is.  Even when the tunnels are up neither end shows a route in the routing table.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.