Two pfsense boxes with openvpn server how to access LAN from both boxes over vpn



  • Hi,

    my configuration:
    pfsense box1:
    Openvpn1 subnet 10.0.9.0/24
    LAN adress 192.168.0.1
    LAN subnet 192.168.0.0/24

    pfsense box2:
    Openvpn2 subnet 10.10.0.0/24
    LAN adress 192.168.0.3
    LAN subnet 192.168.0.0/24

    LAN network computers: all computers on lan have IP from 192.168.0.10 to 192.168.0.254, default gateway 192.168.0.3 and dns server 192.168.0.3

    I can access LAN computers from openvpn2 on pfsense box2
    If i change on some LAN computer default gateway to 192.168.0.1 i can access it from openvpn1 on pfsense box1

    Now my noob question, how to setup pfsense boxes (or some tutorial,…), that it have access at once from openvpn1 and 2 to all LAN comuters with gateways set to 192.168.0.3 (pfsense box2)?

    Thx, for all your suggestions...

    edit: search on internet find this, but is it correct answer for my question or i must set some gateways and routes?

    on pfsense box1
    push route "192.168.0.0 255.255.255.0 192.168.0.1 1" - This tells the server config to "push" to the client, the route command which sets a networking route of the 192.168.0.0/24 subnet via the gateway 192.168.0.1 with a metric of 1. Metrics are used to give "preference" if multiple routes exist (such that the lowest cost wins).

    edit2: find also this:

    On 192.168.0.3 pfsense create a gateway to 192.168.0.1 and create a static route that pointed 10.0.9.0/24 to the 192.168.0.1 gateway. Traffic getting blocked in the firewall going to 10.0.9.0/24 network. So create a LAN rule to allow any protocol from LAN Net to network 10.0.9.0/24 any port......... Allow traffic from 10.0.9.0/24 on pfsense 192.168.0.3 LAN interfaces as source address

    edit3: try all from edit1 and edit2 - not working... maybe i make some mistakes :'(

    Marian.



  • You are describing a "bridge" scenario across am OpenVPN connection.

    This is possible using a TAP style interface on the OpenVPN server and client but is definitely not for the faint of heart (IMO).

    If possible, it's much easier just to change one of the subnets from 192.168.0.x to something else.

    Personally I would change both subnets, since the 192.168.0.x and 192.168.1.x ranges are used as the default by so many devices (and end up causing the issues you are seeing).

    Edit: <sigh>After posting I looked at your picture (my bad for posting before reading…) and I see your scenario appears a little different than I originally envisioned.  I still think the subnet change could be a good idea.

    What are you actually trying to accomplish with the VPN connection?  Your diagram show both OpenVPN server and client connected to the same switch.  Why would you need a VPN connection at all when you can just use firewall/routing rules in one (or both) pfSense boxes. For that matter, why do you need two pfSense boxes?

    Just trying to understand your setup.......

    Just my $0.02</sigh>



  • hi, thx.

    i have two pfsense boxes, because i want backup vpn connection to lan if HW failure. For now i only use pfsensebox1. pfsensebox2 is for now only in "technical preview" stage (preparing for use).



  • Ok, that makes a little more sense.

    If you're trying to create a secondary backup box in case one fails, you have a couple of choices each with +'s and -'s

    1. You can simply "duplicate" your running box by loading up a copy of the config.xml into the "backup" hardware

    (+) You get a working backup that runs the same as the original
    (+) The backup only runs when you need it, other wise you can just leave it powered down

    (-)  You can't run the original at the same time as the backup since their LAN subnet definitions will conflict (as you've seen)
    (-)  You have to manually move cables around to connect the box when needed
    (-)  Your WAN address may change if your internet modem sees a new MAC address on the backup NIC (can be fixed by spoofing MAC)
    (-)  Changes to the primary box's config have to be moved manually to the backup

    2)  Setup a more industrial backup using CARP

    (+) You get automatic updates from the main box to the backup in realtime.
    (+) Switchover is automatic
    (+) WAN address issues are handled in the CARP setup

    (-) Both boxes are running all the time, consumes more power
    (-) CARP setup is more complicated and will take a little design work
    (-) Extra cost (although it sounds like you have the hardware already)

    I've been assuming here that we're talking physical hardware and not a VM setup (although most of the issues still apply).

    If you're interested in a CARP setup, you might try posting over on the CARP forum.

    For the setup you've described, the short answer is you can't run the two boxes at the same time if you're expecting them to do the same job.  They will conflict with one another.  You'll have to manually remove one box and replace it with the other for testing.


  • LAYER 8 Netgate

    @divsys:

    (-) Both boxes are running all the time, consumes more power
    (-) CARP setup is more complicated and will take a little design work
    (-) Extra cost (although it sounds like you have the hardware already)

    (-) Requires at least three IPs (Probably a /29) from the ISP.



  • hi, thx all for time.

    ok, i want only access internet from one pfsense box but also want two different ways how to connect from internet to LAN (two HW with openvpn server). I thing that i need some NAT rule and portforward rule. But from what you wrote, i thing that it is impossible..


Log in to reply