The pfSense Store

Author Topic: OpenVPN Site-to-Multi-site setup Communication Issue  (Read 126 times)

0 Members and 1 Guest are viewing this topic.

Offline marpfsense

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
OpenVPN Site-to-Multi-site setup Communication Issue
« on: December 02, 2017, 04:53:56 pm »
Hi guys,

I really need some assistance... this driving me nuts :(

I'm in the process of upgrading our VPN setup to an OpenVPN Site-to-Multi-site setup.

Currently experiencing difficulties with getting all sites to communicate with each other AND allowing VoIP traffic among all sites.

-----

Current Setup

HQ
LAN1: 192.168.0.0/24
LAN2: 10.1.0.0/24

VPN (Metronet from ISP; Static routing in pfSense)
VPN Route 1: 10.1.0.252/24
VPN Route 2: 10.1.0.253/24

Branches (Route 1)
10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.13.0.0/24

Branches (Route 2)
10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.12.0.0/24, 10.14.0.0/24

Static Routing
Network          Gateway     Interface
10.2.0.0/24       10.1.0.253     LAN2
10.3.0.0/24       10.1.0.253     LAN2
10.4.0.0/24       10.1.0.253     LAN2
10.5.0.0/24       10.1.0.253     LAN2
10.6.0.0/24       10.1.0.252     LAN2
10.7.0.0/24       10.1.0.252     LAN2
10.8.0.0/24       10.1.0.252     LAN2
10.9.0.0/24       10.1.0.253     LAN2
10.10.0.0/24     10.1.0.253     LAN2
10.11.0.0/24     10.1.0.253     LAN2
10.12.0.0/24     10.1.0.252     LAN2
10.13.0.0/24     10.1.0.253     LAN2
10.14.0.0/24     10.1.0.252     LAN2
-----

New Setup

HQ
LAN: 192.168.0.0/24
OpenVPN Servers (Shared Key)
Server 1
Tunnel: 172.16.2.0/30
Remote: 10.2.0.0/24
Server 9
Tunnel: 172.16.10.0/30
Remote: 10.10.0.0/24
Server 13
Tunnel: 172.16.14.0/30
Remote: 10.14.0.0/24
Server 14
Tunnel: 172.16.15.0/30
Remote: 10.15.0.0/24
Firewall Rules
WAN: Allow respective ports assigned to OpenVPN servers and clients
OpenVPN: Any to Any

Branches
Client 1
LAN: 10.2.0.1
Tunnel: 172.16.2.0/30
Remote: 192.168.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24, 10.15.0.0/24
Firewall Rule
OpenVPN: Any to Any

Client 9
LAN: 10.10.0.1
Tunnel: 172.16.10.0/30
Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24, 10.15.0.0/24
Firewall Rule
OpenVPN: Any to Any

Client 13
LAN: 10.14.0.1
Tunnel: 172.16.14.0/30
Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.15.0.0/24
Firewall Rule
OpenVPN: Any to Any

Client 14
LAN: 10.15.0.1
Tunnel: 172.16.15.0/30
Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24
Firewall Rule
OpenVPN: Any to Any

------

What you see above in the new setup are the enabled sites. Their respective static routes were disabled.

As you can see with Client 14, a new subnet was added to the list. It connected and worked flawlessly. All workstations and VoIP devices behind the client was able to communicate with all the other devices at the other sites.

The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2.

Tricky thing is that the firewalls at these sites are able to ping all other sites and subnets.

So while troubleshooting, I figured NAT may be the problem, but it's only a problem with the subnets that were once a part of a static route in the current setup.

With Auto Outbound NAT selected, the workstations ARE NOT ABLE to ping and VoIP devices have NO audio on either end.

With Manual Outbound NAT selected and the OpenVPN interface added, the workstations WERE ABLE to ping and VoIP devices were unable to connect to the Call Server.

With Hybrid Outbound NAT selected with OpenVPN interface being the only manually added setting, the workstations WERE ABLE to ping and VoIP devices were unable to connect to the Call Server.

The PBX ports were allowed on the WAN interface of all 3 clients, but problem persists.

The VoIP devices is a PBX setup with Avaya IP Office Manager.
« Last Edit: December 03, 2017, 04:50:06 am by marpfsense »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9205
  • Karma: +1045/-308
    • View Profile
Re: OpenVPN Site-to-Multi-site setup Communication Issue
« Reply #1 on: December 02, 2017, 05:05:02 pm »
Why are the tunnel networks on your server /30 but /24 on all the clients?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline marpfsense

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Site-to-Multi-site setup Communication Issue
« Reply #2 on: December 02, 2017, 05:12:32 pm »
Why are the tunnel networks on your server /30 but /24 on all the clients?

That was a mistake on my part. Adjusted.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9205
  • Karma: +1045/-308
    • View Profile
Re: OpenVPN Site-to-Multi-site setup Communication Issue
« Reply #3 on: December 03, 2017, 02:19:05 am »
Quote
The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2.

Please be more specific. Please use specific source and destination addresses. I have no idea what "route 1" and "route 2" are.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline marpfsense

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Site-to-Multi-site setup Communication Issue
« Reply #4 on: December 03, 2017, 04:40:46 am »
Quote
The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2.

Please be more specific. Please use specific source and destination addresses. I have no idea what "route 1" and "route 2" are.

The routes were specified above.

Quote
Current Setup

HQ
LAN1: 192.168.0.0/24; LAN2: 10.1.0.0/24

VPN (Metronet from ISP; Static routing in pfSense)
VPN Route 1: 10.1.0.252/24
VPN Route 2: 10.1.0.253/24

Branches (Route 1) - Static Routes
10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.13.0.0/24

Branches (Route 2) - Static Routes
10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.12.0.0/24, 10.14.0.0/24

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9205
  • Karma: +1045/-308
    • View Profile
Re: OpenVPN Site-to-Multi-site setup Communication Issue
« Reply #5 on: December 03, 2017, 11:20:14 am »
It still makes no sense. What is "Static routing network" and how does it work with the OpenVPN tunnels?

I might need a picture. I don't immediately see the topology based on your description.

See dig for a diagram with the sort of information that makes it easy for someone to help you.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM