Site-to-Site + Synology Diskstation = Problems



  • Hi,

    I've got a seemingly bizarre issue that I can't seem to wrap my head around.
    Network Setup

    • LAN (office): 10.0.0.1/24

    • IPsec (site-to-site to Azure): 10.1.0.0/16

    • OpenVPN (remote users): 10.0.100.0/24

    After a hardware failure, we move our DC to a VM in Azure (10.1.1.6).

    I upgraded our remote users to use pfSense's OpenVPN using RADIUS authentication. I ran into a problem that RADIUS auth requests to 10.1.1.6 were going out on the WAN instead of across the IPsec tunnel. I found this pfSense doc to create a static route to help pfSense generated traffic make its way across the tunnel - problem solved.

    After applying this change, my Synology DiskStation DS415+ can no longer properly communicate to any devices across the IPsec tunnel. It'll reply to ICMP/ping requests, however as soon as I try browsing to the DiskStation's network share via Windows Explorer, the DiskStation start's ARP'ing the DC's IP - which makes no sense as they're in different subnets.

    At this point I figured the DiskStation hated communicating to devices outside of its own subnet. However, OpenVPN clients (10.0.100.0/24) are able to communicate just fine.

    I started reversing pfSense config changes until I got to the static route used to get RADIUS working. Now I'm stuck choosing between OpenVPN RADIUS or DiskStation being on the domain.

    Here's an album of the config's that I believe are relevant: http://imgur.com/a/v20O0



  • The plot thickens a bit more and I get more and more out of my depth of field.

    I have toggled the following value:

    net.inet.ip.redirect = 0 (default 1)

    and communication between the Diskstation and Azure has been restored.

    Have I set myself up for more problems by altering the above flag?

    Thanks in advance!