I have a site-site VPN between the following subnets:
Long story short: Using either openvpn or ipsec i'm able to ping every machine on either side of the vpn tunnel just fine, however I can only ping 192.168.2.3 from 192.168.1.0/24 but I cannot access any of its services (ssh/smaba etc) over openvpn. Everything works fine over ipsec. This problem only affects this one host, 192.168.2.3. Every other device is completely accessible via openvpn (in this case everything else is a VM hosted on proxmox host 192.168.2.3).
I have no firewall rules blocking access to 192.168.2.3, I only have an allow all ipv4 rule on both sides for now.
192.168.2.3 is a proxmox host, pfsense is virtualized on this host with access to the vmbr0 (WAN) and vmbr1 (internal vm LAN) interfaces.
ifconfig from 192.168.2.3:
iface lo inet loopback
iface eth0 inet manual
iface vmbr0 inet static
iface vmbr1 inet static
post-up ip route add 192.168.2.0/24 dev vmbr1 src 192.168.2.3 table rt2
post-up ip route add default via 192.168.2.1 dev vmbr1 table rt2
post-up ip rule add from 192.168.2.3/32 table rt2
post-up ip rule add to 192.168.2.3/32 table rt2
Without the additional route rules for the vmbr1 interface none of the VM's hosted on 192.168.2.3 were able to access services on 192.168.2.3 (ping worked though). At first I suspected this may have something to do with my problem, but if it does how come ipsec is unaffected?
traceroute from 192.168.2.3 to 192.168.1.1:
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
1 220.127.116.11 (18.104.22.168) 0.770 ms 0.824 ms 0.913 ms
It doesn't seem to be taking the correct route, and I figure I need another static route back to pfsense at 192.168.2.1 but if I do, again, why does it work fine in ipsec without one? Unfortunately i'm out of my depth, i'm not sure how to add an additional default route, if it's even needed. Thanks for any help with my crazy problems!