[Chugalug] site-to-site multi-lan openvpn routing

Benjamin Stewart stewartbenjamin at gmail.com
Tue Mar 18 17:21:32 UTC 2014


Sounds like the place to run a tcpdump/pftop is on PF-A. Good luck!


On Tue, Mar 18, 2014 at 12:28 PM, Matt Keys <mk6032 at yahoo.com> wrote:

>  On 03/18/2014 11:42 AM, Benjamin Stewart wrote:
>
>   Those routes seem right, as far as I can tell at least.
> Where a firewall (or 2) is involved, it's always worth triple-checking
> your rules. Each firewall should know to allow traffic from each private
> subnet to talk to the others.
>
> Here are a few more shots in the dark:
> - Can PF-A ping 192.168.20.1?
>  - Can 192.168.20.2 ping PF-A?
>  - Use traceroute to find out how far the pings are making it.
>
>  - If you have console access, try listening to interfaces along the path
> the pings should be taking with tcpdump -i [iface]
>
> - If it comes installed on PFSense these days, the pftop tool can show you
> which rules are incrementing their counters, live. Do pings increment
> counters for Pass rules?
>
> - Sometimes it helps to draw out a problem on your whiteboard.
>
>
> pf-a to 192.168.20.1 is good as well as .20.2 (host behind pf-b)
>
> PING 192.168.20.1 (192.168.20.1): 56 data bytes
> 64 bytes from 192.168.20.1: icmp_seq=0 ttl=64 time=53.086 ms
> 64 bytes from 192.168.20.1: icmp_seq=1 ttl=64 time=24.781 ms
> 64 bytes from 192.168.20.1: icmp_seq=2 ttl=64 time=41.076 ms
>
> --- 192.168.20.1 ping statistics ---
> 3 packets transmitted, 3 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 24.781/39.648/53.086/11.600 ms
>
> one more step back towards internal lan, a host behind pf-a ...
>
> matt at vm:~$ ifconfig | grep -e 172 -e 192
>           inet addr:192.168.1.20  Bcast:192.168.1.255  Mask:255.255.255.0
>           inet addr:172.16.2.10  Bcast:172.16.2.255  Mask:255.255.255.0
>           inet addr:172.16.1.10  Bcast:172.16.1.255  Mask:255.255.255.0
>           inet addr:192.168.122.1  Bcast:192.168.122.255
> Mask:255.255.255.0
> matt at vm:~$ ping 192.168.20.2
> PING 192.168.20.2 (192.168.20.2) 56(84) bytes of data.
> ^C
> --- 192.168.20.2 ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 1007ms
>
> matt at vm:~$ ping 192.168.20.1
> PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data.
> ^C
> --- 192.168.20.1 ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 1007ms
>
> matt at vm:~$ ping 192.168.254.1
> PING 192.168.254.1 (192.168.254.1) 56(84) bytes of data.
> ^C
> --- 192.168.254.1 ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 1007ms
>
> matt at vm:~$ ping 192.168.254.6
> PING 192.168.254.6 (192.168.254.6) 56(84) bytes of data.
> 64 bytes from 192.168.254.6: icmp_seq=1 ttl=64 time=0.225 ms
> 64 bytes from 192.168.254.6: icmp_seq=2 ttl=64 time=0.183 ms
> ^C
> --- 192.168.254.6 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> rtt min/avg/max/mdev = 0.183/0.204/0.225/0.021 ms
> matt at vm:~$
>
> Now the other side...
>
> 192.168.20.2 behind pf-b can't ping 172.16.1.1, or 172.16.2.1. It *can*
> ping 192.168.254.6 (pf-a tunnel client IP) though. Thanks for the tips,
> I'll continue troubleshooting when I have more time this evening.
>
> Regards,
> Matt
>
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>


-- 



                              Benjamin Stewart

                               <o(((><
                               ><)))o>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140318/cf42bd32/attachment.html>


More information about the Chugalug mailing list