PfSense OpenVPN Servers (Shared Key) to multiple dd-wrt clients

toyotahead

This is all in a test environment pre putting it into the field….

pfSense is 2.2.5
All OpenVPN's are configured with peer to peer share key
Firewall rules on the WAN are allowing the multiple ports of each openvpn server
pfSense firewall OpenVPN tab has a default allow all rule
All OpenVPN's "Initialization Sequence Completed"

dd-wrt v24
script based setup based on this topic --> https://forum.pfsense.org/index.php?topic=56458.0

dd-wrt firewall script:

Open firewall holes

iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I INPUT 2 -p udp –dport 5511 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 23 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p udp --dport 161 -j ACCEPT

pfSense LAN IP 10.100.51.0/24
remote network 10.11.53.0/24
openvpn network 10.254.254.4/30

This is my pfsense routing table:
IPv4
Destination Gateway Flags Use Mtu Netif Expire
default 192.168.51.1 UGS 9636 1500 sk0
10.11.53.0/24 10.254.254.6 UGS 3138 1500 ovpns2
10.12.53.0/24 10.254.254.10 UGS 0 1500 ovpns3
10.13.53.0/24 10.254.254.14 UGS 0 1500 ovpns4
10.14.53.0/24 10.254.254.18 UGS 0 1500 ovpns5
10.15.53.0/24 10.254.254.22 UGS 0 1500 ovpns6
10.100.50.0/24 link#8 U 80688 1500 sk3
10.100.50.1 link#8 UHS 178 16384 lo0
10.100.51.0/24 link#1 U 0 1500 msk0
10.100.51.1 link#1 UHS 0 16384 lo0
10.100.52.0/24 link#2 U 0 1500 msk1
10.100.52.1 link#2 UHS 0 16384 lo0
10.100.53.0/24 link#3 U 0 1500 msk2
10.100.53.1 link#3 UHS 0 16384 lo0
10.100.54.0/24 link#4 U 0 1500 msk3
10.100.54.1 link#4 UHS 0 16384 lo0
10.254.254.1 link#13 UHS 0 16384 lo0
10.254.254.2 link#13 UH 0 1500 ovpns1
10.254.254.5 link#14 UHS 0 16384 lo0
10.254.254.6 link#14 UH 0 1500 ovpns2
10.254.254.9 link#15 UHS 0 16384 lo0
10.254.254.10 link#15 UH 0 1500 ovpns3
10.254.254.13 link#16 UHS 0 16384 lo0
10.254.254.14 link#16 UH 0 1500 ovpns4
10.254.254.17 link#17 UHS 0 16384 lo0
10.254.254.18 link#17 UH 0 1500 ovpns5
10.254.254.21 link#18 UHS 0 16384 lo0
10.254.254.22 link#18 UH 0 1500 ovpns6
127.0.0.1 link#11 UH 602592 16384 lo0
192.168.51.0/24 link#5 U 13153 1500 sk0
192.168.51.106 link#5 UHS 0 16384 lo0

This is my dd-wrt remote site routing table:
Destination LAN NET Subnet Mask Gateway Flags Metric Interface
0.0.0.0 0.0.0.0 192.168.51.1 UG 0 WAN
10.10.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
10.11.53.0 255.255.255.0 0.0.0.0 U 0 LAN & WLAN
10.12.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
10.13.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
10.14.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
10.15.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
10.100.51.0 255.255.255.0 10.254.254.5 UG 0 tun0
10.254.254.4 255.255.255.252 0.0.0.0 U 0 tun0
169.254.0.0 255.255.0.0 0.0.0.0 U 0 LAN & WLAN
192.168.51.0 255.255.255.0 0.0.0.0 U 0 WAN

Now this is where I believe there is a problem…
-From a device on the remote site I can ping my pfsense lan ip. good
-From a device on my pfsense lan say 10.100.51.10 I can not ping remote ip 10.11.53.1
-If I SSH into the pfsense box I can ping remote ip 10.11.53.1

I am at a loss with the firewalls on either end set to allow traffic flow, as well as routing tables on both end correct why only the pfsense machine can route traffic to the remote site, and not all equipment on the pfsense lan. Is anyone able to shed some light on this? I am loosing hair at an absurd rate on this one.

-I've only quoted as per 1 client site.
-All clients are behaving in the same manor as described.
-This is setup as a hub and spoke type topology

Thanks in advance.

toyotahead

Forgot to mention the firewall on the pfsense box, lan, also has a default allow all rule.

I am thinking this is a routing issue on the pfSense box because I can ping and access remote network services when I am SSH'd into the pfsense box. It's just a matter of clients attached to the pfSense lan are unable to get packets forwarded to the remote site.

Anyone have any thoughts?

cmb

Likely the routing is wrong/missing on the DDWRT side. The routes are correct there, when you ping from the firewall itself it uses the tun IP, and DDWRT tends to be screwy with its routes. Given all that, almost certainly missing/wrong routes on DDWRT. Otherwise it's blocking the traffic from the LAN subnet on DDWRT.

toyotahead

@cmb:

Likely the routing is wrong/missing on the DDWRT side. The routes are correct there, when you ping from the firewall itself it uses the tun IP, and DDWRT tends to be screwy with its routes. Given all that, almost certainly missing/wrong routes on DDWRT. Otherwise it's blocking the traffic from the LAN subnet on DDWRT.

When you say "the routes are correct there", are you referring to the routes located on pfsense, or the dd-wrt routers?

I supplied the routing table for both pfsense, and a dd-wrt remote client. I am fairly new to routing tables. Is there anything obviously wrong?

And If I am reading your reply correctly, I am getting the jist that dd-wrt is something to stay away from… is that correct?

Thanks for your help!!!

cmb

DDWRT is ok, it can just be a pain in routing traffic correctly across site to site VPNs. It seems to always want to NAT things in that context.

I didn't notice the DDWRT routing table. That looks correct as well. The iptables rule should allow pings through.

Run a constant ping from the pfSense LAN to the DDWRT LAN. Go to Diag>Packet Capture, pick the OpenVPN interface, and start the capture. Let it run for a handful of seconds and stop it. If you see the pings leaving there, that'll confirm the issue's on the DDWRT side.

The only thing that'd prevent traffic from LAN getting routed across in that config is if you have a gateway specified on your LAN firewall rule(s), that'll force traffic to that gateway.