Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN and policy based routing

    Routing and Multi WAN
    2
    5
    1275
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Maarten. 0 last edited by

      I've got a setup with 2 computers connected by 2 pfSense routers through a p2p OpenVPN tunnel. I want to use policy routing instead of static routes. It's just not working without the static routes. If I ping from computerA to computerB, the ping goes through the tunnel and reaches computerB. ComputerB is sending the reply, but the Lan interface on pfsenseB thinks there's no route, but there is a policy routing rule active, it's just not using it on the reply.

      This is the data I got from the Packet Capture, when I ping from Computer A to B, but the reverse (B to A) is the same:

      pfSenseA Lan
      192.168.50.1 > 192.168.51.1: ICMP echo request

      pfSenseA openvpn tunnel
      192.168.50.1 > 192.168.51.1: ICMP echo request

      pfSenseB openvpn tunnel
      192.168.50.1 > 192.168.51.1: ICMP echo request

      pfSenseB Lan
      192.168.50.1 > 192.168.51.1: ICMP echo request
      192.168.51.1 > 192.168.50.1: ICMP echo reply
      192.168.51.254 > 192.168.51.1: ICMP host 192.168.50.1 unreachable

      The reason I want to use policy based routing is I want to setup 2 tunnels with the gateway fail over functionality.

      Is there a way to make this work properly?

      Best regards.


      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        Assign the OpenVPN interfaces on both sides (check wiki/forum for details). move the OpenVPN firewall rules to the assigned interface tab. That will activate pf's reply-to functionality for the VPN interfaces and then it will remember the path the packet entered and send the reply back the way it came in.

        1 Reply Last reply Reply Quote 0
        • M
          Maarten. 0 last edited by

          Hi Jimp,

          Thanks for your response. Mine is a "little" late, had some other stuff to deal with unfortunately. I've tried what I think you meant, but that's not working for me so I think I misunderstand. I've added screen shots of my current configuration and wireshark results.

          Is this correct? because it's not working for me.

          Thanks, Maarten




          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Make sure you don't have any rules on the OpenVPN tab that would match the traffic.

            1 Reply Last reply Reply Quote 0
            • M
              Maarten. 0 last edited by

              Yes! that was the problem. I thought I'd tried everything. Thanks Jimp!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy