pfSense Support Subscription

Author Topic: Strange routing issue site-site with openvpn (works fine in ipsec though).  (Read 104 times)

0 Members and 1 Guest are viewing this topic.

Offline diablo266

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +0/-0
    • View Profile
I have a site-site VPN between the following subnets:

A: 192.168.1.0/24
B: 192.168.2.0/24

Long story short: Using either openvpn or ipsec i'm able to ping every machine on either side of the vpn tunnel just fine, however I can only ping 192.168.2.3 from 192.168.1.0/24 but I cannot access any of its services (ssh/smaba etc) over openvpn. Everything works fine over ipsec. This problem only affects this one host, 192.168.2.3. Every other device is completely accessible via openvpn (in this case everything else is a VM hosted on proxmox host 192.168.2.3).


I have no firewall rules blocking access to 192.168.2.3, I only have an allow all ipv4 rule on both sides for now.


Details:

192.168.2.3 is a proxmox host, pfsense is virtualized on this host with access to the vmbr0 (WAN) and vmbr1 (internal vm LAN) interfaces.

ifconfig from 192.168.2.3:

Code: [Select]
auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address  187.122.44.197
        netmask  255.255.255.240
        gateway  187.122.44.193
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address  192.168.2.3
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up ip route add 192.168.2.0/24 dev vmbr1 src 192.168.2.3 table rt2
        post-up ip route add default via 192.168.2.1 dev vmbr1 table rt2
        post-up ip rule add from 192.168.2.3/32 table rt2
        post-up ip rule add to 192.168.2.3/32 table rt2

Without the additional route rules for the vmbr1 interface none of the VM's hosted on 192.168.2.3 were able to access services on 192.168.2.3 (ping worked though). At first I suspected this may have something to do with my problem, but if it does how come ipsec is unaffected?

traceroute from 192.168.2.3 to 192.168.1.1:
Code: [Select]
traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
 1  187.122.44.194 (198.241.44.194)  0.770 ms  0.824 ms  0.913 ms

It doesn't seem to be taking the correct route, and I figure I need another static route back to pfsense at 192.168.2.1 but if I do, again, why does it work fine in ipsec without one? Unfortunately i'm out of my depth, i'm not sure how to add an additional default route, if it's even needed. Thanks for any help with my crazy problems!