Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Interesting routing issue

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maverick_slo
      last edited by

      Hello!

      I use 2.2 and Openvpn server in tun mode.
      When client connects all is working as intended except one route goes wrong.

      See below:

      Correct traceroute, traffic goes troug tunnel:

      Tracing route to google-public-dns-a.google.com [8.8.8.8]
      over a maximum of 30 hops:
      
        1    14 ms    14 ms    14 ms  10.15.20.1
        2    15 ms    41 ms    15 ms  2903.burek.net [YY.YY.YY.1]
        3    63 ms    23 ms    45 ms  mx-vi1-te-0-0-0.burek.net [IP HERE]
        4    44 ms    43 ms    43 ms  72.14.211.66
        5    45 ms    45 ms    45 ms  216.239.46.115
        6    45 ms    44 ms    45 ms  216.239.48.137
        7    45 ms    45 ms    45 ms  google-public-dns-a.google.com [8.8.8.8]
      Trace complete.
      

      INCORRECT route, traffic goes trough local firewall instead of tunnel:

      Tracing route to [XX.XX.XX.12]
      over a maximum of 30 hops:
      
        1    <1 ms    <1 ms    <1 ms  firewall.domain.local [192.168.1.1]
        2    13 ms    13 ms    13 ms  gw1.net [ZZ.ZZZ.0.1]
        3    12 ms    12 ms    12 ms  gw2.net [IP HERE]
        4    13 ms    12 ms    13 ms  six.burek.net [IP HERE]
        5    14 ms    14 ms    13 ms  [XX.XX.XX.12]
      Trace complete.
      

      [XX.XX.XX.12] is my WAN IP.
      So if I connect from anywhere and login to my website (I have no SSL) anyone with access to router I`m connected to could see my login details.
      Why only WAN IP is routed trough local gateway instead of tunnel?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • M
        maverick_slo
        last edited by

        Oh IPv6 is working great and as it should.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Well what are the routes on the box?  Clearly you have route that says when trying to go [XX.XX.XX.12] go to firewall.domain.local [192.168.1.1]

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            At this point, we can't confirm anything, we need more info.

            Post your server1.conf and the routing table from PFsense and a connected client.

            1 Reply Last reply Reply Quote 0
            • M
              maverick_slo
              last edited by

              I was thinking…
              There is actually no need for routing table...
              Let me explain.

              If I connect to XX.XX.XX.XX with openvpn, clearly XX.XX.XX.XX MUST go trough local firewall and not trough the tunnel. If it would go trough the tunnel, openvpn woul not work :)
              So this is by design IMHO.

              1 Reply Last reply Reply Quote 0
              • M
                marvosa
                last edited by

                That all depends on your config, routing and full tunnel vs split tunnel.  We are all just speculating without looking at the config and your routing tables.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.