OpenVPN and policy based routing
-
I've got a setup with 2 computers connected by 2 pfSense routers through a p2p OpenVPN tunnel. I want to use policy routing instead of static routes. It's just not working without the static routes. If I ping from computerA to computerB, the ping goes through the tunnel and reaches computerB. ComputerB is sending the reply, but the Lan interface on pfsenseB thinks there's no route, but there is a policy routing rule active, it's just not using it on the reply.
This is the data I got from the Packet Capture, when I ping from Computer A to B, but the reverse (B to A) is the same:
pfSenseA Lan
192.168.50.1 > 192.168.51.1: ICMP echo requestpfSenseA openvpn tunnel
192.168.50.1 > 192.168.51.1: ICMP echo requestpfSenseB openvpn tunnel
192.168.50.1 > 192.168.51.1: ICMP echo requestpfSenseB Lan
192.168.50.1 > 192.168.51.1: ICMP echo request
192.168.51.1 > 192.168.50.1: ICMP echo reply
192.168.51.254 > 192.168.51.1: ICMP host 192.168.50.1 unreachableThe reason I want to use policy based routing is I want to setup 2 tunnels with the gateway fail over functionality.
Is there a way to make this work properly?
Best regards.
-
Assign the OpenVPN interfaces on both sides (check wiki/forum for details). move the OpenVPN firewall rules to the assigned interface tab. That will activate pf's reply-to functionality for the VPN interfaces and then it will remember the path the packet entered and send the reply back the way it came in.
-
Hi Jimp,
Thanks for your response. Mine is a "little" late, had some other stuff to deal with unfortunately. I've tried what I think you meant, but that's not working for me so I think I misunderstand. I've added screen shots of my current configuration and wireshark results.
Is this correct? because it's not working for me.
Thanks, Maarten
-
Make sure you don't have any rules on the OpenVPN tab that would match the traffic.
-
Yes! that was the problem. I thought I'd tried everything. Thanks Jimp!
