PfSense to PfSense Open VPN Routing Issues

BuGaLoU

[H]ard|Gawd
Joined
Apr 24, 2002
Messages
1,156
Lets try this thread again. :) . In the previous thread firewall rules were suggested as a problem. I have rules on both sides of network to allow all traffic on LAN. Some one else suggested a "push" something or another route command that I tried, but I am not sure if I did it right and would love to get that command again.

Original Thread:

I have 2 pfSense routers setup, one at my house and one at my parents house. I successfully got an Open VPN connection up and working between them. The problem I am running into now is I cannot hit hosts behind the router at my parent's house. I can ping the router all day long though. Also, from my parent's side, they can ping my router and all hosts behind it. I know its something with the routing table but I am not sure what as I am not too familiar with open VPN tunnels.

Here is the data:

My house network: 192.168.2.0 /24 GW 192.168.2.1
Parent's House: 192.168.1.0 /24 GW: 192.168.1.1
VPN Tunnel 192.168.254.xxx

Now below are the route tables. Public ips are xxx'd out a bit.

Parent's House Route Table: (open vpn client)
Code:
default 	75.66.xxx.1 	UGS 	0 	8691 	1500 	fxp1 	 
75.66.xxx.0/21 	link#2 	UC 	0 	0 	1500 	fxp1 	 
75.66.xxx.1 	00:01:5c:24:59:02 	UHLW 	2 	20 	1500 	fxp1 	1200
75.66.xxx.xxx 	127.0.0.1 	UGHS 	0 	0 	16384 	lo0 	 
127.0.0.1 	127.0.0.1 	UH 	1 	0 	16384 	lo0 	 
192.168.1.0/24 	link#1 	UC 	0 	0 	1500 	fxp0 	 
192.168.1.10 	00:16:b6:4b:4e:84 	UHLW 	1 	8 	1500 	fxp0 	1081
192.168.1.11 	00:14:bf:90:6f:d1 	UHLW 	1 	13 	1500 	fxp0 	1179
192.168.1.102 	00:e0:4d:74:77:74 	UHLW 	1 	6467 	1500 	fxp0 	981
192.168.2.0/24 	192.168.254.1 	UGS 	0 	306 	1500 	tun0 	 
192.168.254.1 	192.168.254.2 	UH 	1 	0 	1500 	tun0


My House routing table: (openvpn server)

Code:
default 	75.66.xxx.1 	UGS 	0 	69675 	1500 	dc1 	 
75.66.xxx.0/24 	link#2 	UC 	0 	0 	1500 	dc1 	 
75.66.xxx.1 	00:09:12:80:60:01 	UHLW 	2 	80 	1500 	dc1 	1198
75.66.xxx.xxx 	127.0.0.1 	UGHS 	0 	0 	16384 	lo0 	 
127.0.0.1 	127.0.0.1 	UH 	1 	0 	16384 	lo0 	 
192.168.1.0/24 	192.168.254.2 	UGS 	0 	286 	1500 	tun0 	 
192.168.2.0/24 	link#1 	UC 	0 	0 	1500 	dc0 	 
192.168.2.10 	00:04:23:cd:25:5d 	UHLW 	1 	70 	1500 	dc0 	1096
192.168.2.20 	00:18:f3:6c:1a:ca 	UHLW 	1 	71020 	1500 	dc0 	473
192.168.2.21 	00:03:ff:6e:12:ef 	UHLW 	1 	341 	1500 	dc0 	975
192.168.2.22 	00:16:cf:14:50:49 	UHLW 	1 	256 	1500 	dc0 	1133
192.168.254.2 	192.168.254.1 	UH 	1 	8 	1500 	tun0


Traceroute to remote host from Parent's house (trace to 192.168.2.10):
Code:
 1  192.168.254.1 (192.168.254.1)  40.187 ms  24.350 ms  32.570 ms
 2  192.168.2.10 (192.168.2.10)  20.251 ms  18.509 ms  25.925 ms

Traceroute to remote host from my house (trace to 192.168.1.10):
Code:
 1  192.168.254.2 (192.168.254.2)  24.495 ms  21.881 ms  24.568 ms
 2  * * *
-continues timing out to max hops-
 
I made a slight bit of progress on this. I found out I had a field setup wrong in the VPN connection and the random 192.168.1.2 gateway is no longer there. That being said I am still having the same problem. It look like traffic from my side makes it across to my parent's router and this it drops there. Looking at the route tables it doesn't make sense why. The firewall logs show zero drops from these IPs. I updated all the info above with my progress.
 
Why is the route to 75.66.xxx.0 /24 on your end and /21 on your parents end?
 
Static IP's or DHCP?

A /24 is a single class C. A /21 is 8 class C's.

Of course, if that was your problem, then it would not follow that you would be able to ping your parents' side of the VPN tunnel. Hum. Yet still that looks to be the only thing that differs.
 
Static IP's or DHCP?

A /24 is a single class C. A /21 is 8 class C's.

Of course, if that was your problem, then it would not follow that you would be able to ping your parents' side of the VPN tunnel. Hum. Yet still that looks to be the only thing that differs.

DHCP. Tunnel seems ok, the parent side router just refuses to route.
 
I will up the ante and offer $50 via paypal for who ever helps me fix this,
 
Make sure "Client-to-Client VPN" is NOT checked... and at the bottom of your config page add

push "route 192.168.1.0 255.255.255.0";

to the "custom options" section at the bottom of the page

That will push to route to 192.168.1.0 to all the VPN clients. I had this before the forum screwed up, so let me know if you already tried this. But I'm 99% sure this is what you need to do, sounds exactly like the problem I once had.
 
Make sure "Client-to-Client VPN" is NOT checked... and at the bottom of your config page add

push "route 192.168.1.0 255.255.255.0";

to the "custom options" section at the bottom of the page

That will push to route to 192.168.1.0 to all the VPN clients. I had this before the forum screwed up, so let me know if you already tried this. But I'm 99% sure this is what you need to do, sounds exactly like the problem I once had.

Client to client is not checked. I will try this now. This will not break thier normal internet routing will it?
 
Make sure "Client-to-Client VPN" is NOT checked... and at the bottom of your config page add

push "route 192.168.1.0 255.255.255.0";

to the "custom options" section at the bottom of the page

That will push to route to 192.168.1.0 to all the VPN clients. I had this before the forum screwed up, so let me know if you already tried this. But I'm 99% sure this is what you need to do, sounds exactly like the problem I once had.

No dice. Exact same results. I bounced the vpn tunnel but I did not restart the routers. Here are my current route tables (i removed the public facing IPs):

Parents House (client):
Code:
127.0.0.1 	127.0.0.1 	UH 	1 	0 	16384 	lo0 	 
192.168.0.0/24 	192.168.254.1 	UGS 	0 	134 	1500 	tun0 	 
192.168.1.0/24 	link#1 	UC 	0 	0 	1500 	fxp0 	 
192.168.1.10 	00:16:b6:4b:4e:84 	UHLW 	1 	12 	1500 	fxp0 	600
192.168.1.11 	00:14:bf:90:6f:d1 	UHLW 	1 	71 	1500 	fxp0 	1178
192.168.1.100 	00:90:27:0f:a2:de 	UHLW 	1 	2 	1500 	fxp0 	315
192.168.1.101 	00:e0:4d:74:77:74 	UHLW 	1 	18812 	1500 	fxp0 	488
192.168.254.1 	192.168.254.2 	UH 	1 	0 	1500 	tun0


My House (server)
Code:
127.0.0.1 	127.0.0.1 	UH 	1 	0 	16384 	lo0 	 
192.168.0.0/24 	link#1 	UC 	0 	0 	1500 	dc0 	 
192.168.0.10 	00:04:23:cd:25:5d 	UHLW 	1 	8800 	1500 	dc0 	1199
192.168.0.18 	00:c0:b7:cd:2c:66 	UHLW 	1 	18 	1500 	dc0 	733
192.168.0.20 	00:18:f3:6c:1a:ca 	UHLW 	1 	354346 	1500 	dc0 	602
192.168.0.21 	00:1f:e2:92:e2:a0 	UHLW 	1 	294 	1500 	dc0 	1184
192.168.0.22 	00:16:cf:14:50:49 	UHLW 	1 	3897 	1500 	dc0 	1196
192.168.0.28 	00:03:ff:69:12:ef 	UHLW 	1 	14546 	1500 	dc0 	513
192.168.1.0/24 	192.168.254.2 	UGS 	0 	68 	1500 	tun0 	 
192.168.254.2 	192.168.254.1 	UH 	1 	0 	1500 	tun0
 
Oh, I'm sorry I thought your parents house was the client instead use

push "route 192.168.0.0 255.255.255.0";

Note: Your original diagram shows your network as 192.168.2.0, but your most recent table shows 192.168.0.0. So depending upon what your local network is edit the route in the options I put above.
 
Oh, I'm sorry I thought your parents house was the client instead use

push "route 192.168.0.0 255.255.255.0";

Note: Your original diagram shows your network as 192.168.2.0, but your most recent table shows 192.168.0.0. So depending upon what your local network is edit the route in the options I put above.

I got you. I changed it back. I figured the 0 maybe affecting it originally but this isnt the case. I will why what you suggested.

Well I tried the above to no avail. I am still timing out at my parents router's side of the tunnel when I try to ping clients over there. They are non firewalled clients too. I can still ping clients on my home network from my parent's house though. :(
 
Well guys I *think* I fixed it. I was able to hit a host behind my parents router. I suspect a local firewall issue, although I know for a fact one host doesn't have a firewall installed. I am going to check it out a little further today and see if it has something that's telling it not to respond to pings.
 
I am kinda curious, what are you using the VPN for?

Mainly for support. My parents screw stuff up all the time. Its also an easy way to manage patching and to assure their files are backed up.
 
Back
Top