[Chugalug] site-to-site multi-lan openvpn routing

Matt Keys mk6032 at yahoo.com
Tue Mar 18 16:28:44 UTC 2014


On 03/18/2014 11:42 AM, Benjamin Stewart wrote:
> Those routes seem right, as far as I can tell at least.
> Where a firewall (or 2) is involved, it's always worth triple-checking 
> your rules. Each firewall should know to allow traffic from each 
> private subnet to talk to the others.
>
> Here are a few more shots in the dark:
> - Can PF-A ping 192.168.20.1?
> - Can 192.168.20.2 ping PF-A?
> - Use traceroute to find out how far the pings are making it.
>
> - If you have console access, try listening to interfaces along the 
> path the pings should be taking with tcpdump -i [iface]
>
> - If it comes installed on PFSense these days, the pftop tool can show 
> you which rules are incrementing their counters, live. Do pings 
> increment counters for Pass rules?
>
> - Sometimes it helps to draw out a problem on your whiteboard.

pf-a to 192.168.20.1 is good as well as .20.2 (host behind pf-b)

PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: icmp_seq=0 ttl=64 time=53.086 ms
64 bytes from 192.168.20.1: icmp_seq=1 ttl=64 time=24.781 ms
64 bytes from 192.168.20.1: icmp_seq=2 ttl=64 time=41.076 ms

--- 192.168.20.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 24.781/39.648/53.086/11.600 ms

one more step back towards internal lan, a host behind pf-a ...

matt at vm:~$ ifconfig | grep -e 172 -e 192
           inet addr:192.168.1.20  Bcast:192.168.1.255 Mask:255.255.255.0
           inet addr:172.16.2.10  Bcast:172.16.2.255 Mask:255.255.255.0
           inet addr:172.16.1.10  Bcast:172.16.1.255 Mask:255.255.255.0
           inet addr:192.168.122.1  Bcast:192.168.122.255 Mask:255.255.255.0
matt at vm:~$ ping 192.168.20.2
PING 192.168.20.2 (192.168.20.2) 56(84) bytes of data.
^C
--- 192.168.20.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1007ms

matt at vm:~$ ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data.
^C
--- 192.168.20.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1007ms

matt at vm:~$ ping 192.168.254.1
PING 192.168.254.1 (192.168.254.1) 56(84) bytes of data.
^C
--- 192.168.254.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1007ms

matt at vm:~$ ping 192.168.254.6
PING 192.168.254.6 (192.168.254.6) 56(84) bytes of data.
64 bytes from 192.168.254.6: icmp_seq=1 ttl=64 time=0.225 ms
64 bytes from 192.168.254.6: icmp_seq=2 ttl=64 time=0.183 ms
^C
--- 192.168.254.6 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.183/0.204/0.225/0.021 ms
matt at vm:~$

Now the other side...

192.168.20.2 behind pf-b can't ping 172.16.1.1, or 172.16.2.1. It *can* 
ping 192.168.254.6 (pf-a tunnel client IP) though. Thanks for the tips, 
I'll continue troubleshooting when I have more time this evening.

Regards,
Matt


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140318/1f870896/attachment.html>


More information about the Chugalug mailing list