OpenVPN & Virtual IP - Stuck



  • Here is the setup and lay of the land.

    Cisco 4451x running NAT and Policy-Based Routing, NAT is running for WAN IP to LAN IP on PFSENSE Box, Policy-Based Routing is taking any packets from LAN IP of PFSENSE box and passing them back out the proper WAN Interface (There are multiples)

    On the PFSense Box it is configured with a LAN IP and a Virtual IP that is being used for OpenVPN.

    I am able to ping the PFSense box on the WAN IP from outside network. I am able to get out to the internet and google.com on the Virtual IP from the PFSense Box.

    I am unable to establish a session with OpenVPN.

    We have another OpenVPN config running on this Box that is running successfully on another IP, the only difference is one is the actual LAN interface IP and the other is just a Virtual IP.



  • Is it a type of Virtual IP which supports running services?
    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses



  • @viragomann:

    Is it a type of Virtual IP which supports running services?
    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

    Yes, Alias IP



  • That an OpenVPN client or server?



  • @cmb:

    That an OpenVPN client or server?

    OpenVPN Server is running on the LAN interface on PFSENSE (Port 1194). OpenVPN Clients are able to connect.

    OpenVPN Server is running on the VIP Alias IP on PFSENSE (Port 1197). OpenVPN Clients are not able to connect.

    In the OpenVPN logs it shows that the interface is bound and listening - however, if I go to States or pftop I do not see the port 1197 listed, like I do for 1194.

    Apologies if I mis-understood your question. :-)



  • That's what I was wondering, whether it was a client or server you were binding to the VIP.

    I'm guessing you probably don't have a firewall rule on WAN allowing traffic to the destination VIP and port for the non-working instance.



  • @cmb:

    That's what I was wondering, whether it was a client or server you were binding to the VIP.

    I'm guessing you probably don't have a firewall rule on WAN allowing traffic to the destination VIP and port for the non-working instance.

    Here is the config from the Cisco Router.

    ip nat inside source static 10.20.1.102 98…..... route-map PFSENSE-AWS

    ip access-list extended TWC-ACL
    deny  ip host 10.20.1.102 host 10.20.1.254
    deny  ip host 10.20.1.102 172.32.0.0 0.0.255.255
    deny  ip host 10.20.1.102 172.31.0.0 0.0.255.255
    permit ip host 10.20.1.102 any

    ip access-list extended AWSEXCEPTION
    deny  ip host 10.20.1.101 10.20.0.0 0.0.255.255
    deny  ip host 10.20.1.102 10.20.0.0 0.0.255.255
    deny  ip host 10.20.1.102 172.31.0.0 0.0.255.255
    deny  ip host 10.20.1.102 172.32.0.0 0.0.255.255
    deny  ip host 10.20.1.101 172.31.0.0 0.0.255.255
    deny  ip host 10.20.1.101 172.32.0.0 0.0.255.255
    permit ip host 10.20.1.102 any
    permit ip host 10.20.1.101 any

    route-map TWC permit 10
    match ip address TWC-ACL
    set ip next-hop 98.....

    route-map PFSENSE-AWS permit 10
    match ip address AWSEXCEPTION

    10.20.1.101 is the LAN Interface that is working - which has the same exact config on the Router. There is no firewall running between Router and PFSense Box.

    On the PFSENSE box, I have put in allow all traffic rules to try and get it working.