Can't get OpenVPN data to other router & Network on LAN

Ctrl-G · Apr 28, 2016, 3:47 AM

Hello!

I'm having trouble getting OpenVPN to route traffic over my MPLS to other sites. Here is my configuration:

LAN Side:
pfSense Firewall 172.40.1.2 / 20
MPLS Router: 172.40.0.1
Other Networks accessible via MPLS Router:
*. 172.16.0.0/16
*. 172.20.0.0/16
*. 172.50.0.0/16

I have static routes in the firewall for each of the above networks.

If I am on a computer on the LAN I …
*. AM able to ping 172.40.0.1 (The MPLS router)
*. AM able to ping 172.40.x.y (any other pingable host)
*. AM able to ping 172.16.x.y (any pingable host on the 172.16 network)

If I am connected through OpenVPN, I ...
*. am NOT able to ping 172.40.0.1.
*. AM able to ping any pingable host on 172.40.x.y
*. am NOT able to ping any pingable host on 172.16.x.y

Routes are being pushed to the client (and show up in the client routing table).

If I were to guess I would think that this is a problem with Outbound NAT, at least from what I have read thus far, although I have no clue how to configure that area. It's clear I have something wrong but honestly, it seems like it should just work as is. Can anyone provide any insight? (Also sorry if I've left anything obvious out ... I've been up way too long working on this.)

Thanks in advance for any help,
Bruce

moikerz · Apr 28, 2016, 4:11 AM

Kind of off-topic: the private IP range for 172 is 172.16.0.0 to 172.31.255.255. Your .40 and .50 networks are outside of this, and will cause problems when trying to access legitimate websites that use those ranges.

The only thing regarding your problem directly that comes to mind, is that your firewall rules need to allow for your OpenVPN address range. This is different to your LAN address range.

Ctrl-G · Apr 28, 2016, 3:17 PM

Hey moikerz .. thanks for the reply! I appreciate your taking a look!

Kind of off-topic: the private IP range for 172 is 172.16.0.0 to 172.31.255.255. Your .40 and .50 networks are outside of this …

Yea … but it was a design oversight a LONG time ago .. and we just choose to deal with it. Another aside with this though, have any of those (non private) addresses in 172 ever been assigned?

The only thing regarding your problem directly that comes to mind, is that your firewall rules need to allow for your OpenVPN address range. This is different to your LAN address range.

In what way … I mean the OpenVPN rule is:

States . . : <not relevant="">Protocol . : IPv4 *
Source . . : *
Port . . . : *
Destination: *
Port . . . : *
Gateway. . : *
Queue. . . : none
Schedule . : <blank>Also, static routes are defined on the LAN interface so the system should know where to send the data. Or so I would think. (?)</blank></not>

moikerz · Apr 28, 2016, 10:29 PM

What IP address range is being given to your OpenVPN clients? And is that range allowed to traverse the MPLS?

Ctrl-G · Apr 29, 2016, 1:19 AM

Moikerz:

That's an outstanding question. I'm not sure now that I think about it (I did not configure it nor ask someone else to do so). I will check into this and let you know. Thank you!

Ctrl-G · May 3, 2016, 8:08 PM

The MPLS was not configured to allow traffic from the VPN address and the powers that be didn't think it was a good idea. So I set up Outbound NAT to NAT the traffic from the VPN to the LAN and now it's working.

Thank you so much for your help!

johnpoz · May 4, 2016, 1:10 PM

your design oversight steps on network that is owned by tmobile

NetRange: 172.32.0.0 - 172.63.255.255
CIDR: 172.32.0.0/11
Organization: T-Mobile USA, Inc. (TMOBI)

This is really bad idea to use public space that is not owned by you internally.