[Chugalug] site-to-site multi-lan openvpn routing

Benjamin Stewart stewartbenjamin at gmail.com
Tue Mar 18 12:22:58 UTC 2014


Site B is using for openvpn server options ..

ipv4 tunnel network: 192.168.254.0/24
ipv4 local network/s : 192.168.20.0/24
ipv4 remote network/s: 172.16.1.0/24,172.16.2.0/24

under advanced I have "client-to-client"

Site A is using for openvpn client options ..

ipv4 tunnel network: 192.168.254.0/24
ipv4 remote network/s: 172.16.1.0/24,172.16.2.0/24

------
If the above is true, then it seems you're telling both sites that the
other has the 172.16.x.x networks. That's bound to confuse something!

It might be helpful to see the routes from site A, as well.


On Tue, Mar 18, 2014 at 7:48 AM, Matt Keys <mk6032 at yahoo.com> wrote:

>  I'm hoping someone more familiar with openvpn advanced options can
> assist. I'm pretty sure it's a minor routing issue. I've tried to follow
> the setup instructions here :
> https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1, the difference being I don't want to route traffic destined for the
> internet through the tunnel -- just the inter-lan traffic. I have ..
>
> site A (client)
> pfsense 2
>  - wan $wanip1
>  - lan 192.168.1.0/24
>  - opt1 192.168.10.0/24
>  - opt2 $wanip2
>  - opt3 172.16.1.0/24
>  - opt4 172.16.2.0/24
>
> site B (server)
> pfsense 2
>  - wan $wanip3
>  - lan 192.168.20.0/24
>
> I want 192.168.20.0/24 to be able to see 172.16.1.0/24, 172.16.2.0/24,
> 192.168.10.0/24, and 192.168.30.0/24 (and vice versa). Don't worry about
> .10 or .30 for now, I'm only conerned with 172.16.1.0/24 and 172.16.2.0/24for testing.
>
> When I bring up the tunnel I can ping from a site A pfsense to site B vm
> in the LAN (192.168.20.2 ), but I can't ping through the tunnel from a host
> in site A to a host in site B.
>
> Inversely, site B pfsense doesn't get any responses from site A pfsense
> pings, or through to a host in site A opt3, opt4, or opt1.
>
> Site B is using for openvpn server options ..
>
> ipv4 tunnel network: 192.168.254.0/24
> ipv4 local network/s : 192.168.20.0/24
> ipv4 remote network/s: 172.16.1.0/24,172.16.2.0/24
>
> under advanced I have "client-to-client"
>
> Site A is using for openvpn client options ..
>
> ipv4 tunnel network: 192.168.254.0/24
> ipv4 remote network/s: 172.16.1.0/24,172.16.2.0/24
>
> Under the client specific overrides tab, I have in advanced ..
>
> iroute 172.16.1.0 255.255.255.0;
> iroute 172.16.2.0 255.255.255.0
>
> Site B shows in diagnostics -> routes ..
>
> default    wanip3.gw.here    UGS    0    244043    1500    em0
> 8.8.4.4   wanip3.gw.here    UGHS    0    6258    1500    em0
> 8.8.8.8    wanip3.gw.here    UGHS    0    214422    1500    em0
> 127.0.0.1    link#5    UH    0    14251    16384    lo0
> 172.16.1.0/24    192.168.254.2    UGS    0    6    1500    ovpns1
> 172.16.2.0/24    192.168.254.2    UGS    0    0    1500    ovpns1
> 192.168.20.0/24    link#2    U    0    35189    1500    re0
> 192.168.20.1    link#2    UHS    0    0    16384    lo0
> 192.168.254.0/24    192.168.254.2    UGS    0    0    1500    ovpns1
> 192.168.254.1    link#8    UHS    0    0    16384    lo0
> 192.168.254.2    link#8    UH    0    0    1500    ovpns1
> 208.67.220.220    wanip3.gw.here    UGHS    0    6245    1500    em0
> 208.67.222.222    wanip3.gw.here   UGHS    0    6245    1500    em0
> wanip3.subnet/29    link#1    U    0    1316630    1500    em0
> wanip3    link#1    UHS    0    0    16384    lo0
>
> Firewall rules are all good for both directions. I don't see any drops in
> the pf logs.
>
> Regards,
> Matt
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>


-- 



                              Benjamin Stewart

                               <o(((><
                               ><)))o>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140318/c6697e73/attachment.html>


More information about the Chugalug mailing list