I have an issue that I've been unable to solve and could use some suggestions
(or confirmation that it can't be done).
Background
----------
The problem is that I can only access IPs on the other side of a VPN connection
via a static route when on one of our LANs. Here's an overview of the setup
that I think is pertinent:
- pfSense 2.1 release (at both sites)
- LAN1 : 172.24.24.0/24 - pfSense: 172.24.24.1
- LAN2 : 172.24.25.0/24 - pfSense: 172.24.25.1
- other-site LAN: 172.24.32.0/24 - pfSense 172.24.32.1
- Routing:
WAN_Gateway/default ...
LAN_Gateway LAN1 172.24.24.1 172.24.32.1
static route:
172.24.32.0/24 LAN_Gateway/172.24.24.1 LAN1
- VPNs:
always-on IPSec LAN1 (172.24.24.0/24) <--> other-site LAN (172.24.32.0/24)
mobile: IPSec 172.24.64.0/24 with 172.24.64.1 gateway
(P2:Local Network is 0.0.0.0/0 to run all mobile's traffic through our net)
mobile: OpenVPN 172.24.48.0/24 with 172.24.48.1 gateway
(OpenVPN:"Force all client generated traffic through the tunnel." is ON)
- pfSense lists "built-in" routes for:
172.24.24.0/24
172.24.25.0/24
172.24.32.0/24
172.24.48.0/24
172.24.64.0/24
- NATs:
all except other-site LAN subnets are NAT'd to WAN
LAN1 is NAT'd to LAN2
LAN2 is NAT'd to LAN1
(I actually don't remember what didn't work without those LAN-toLAN NATs and
don't understand why the default routing shouldn't make them unnecessary --
comments would also be welcome on this one)
What Works
----------
Systems on LAN1 (172.24.24.0/24) CAN access IPs on other-site LAN
(172.24.32.0/24), presumably via static route (and vice versa, inverse static
route also defined at other-site end).
Systems connected via mobile IPSec VPN (172.24.64.0/24) and OpenVPN
(172.24.48.0/24) CAN access IPs on LAN1 (172.24.24.0/24) and LAN2
(172.24.25.0/24).
Problems
--------
Systems on LAN2 (172.24.25.0/24) CANNOT access IPs on other-site LAN
(172.24.32.0/24)
- LAN2 rule "pass all" for source LAN2 (172.24.25.0/24) exists
Systems connected via mobile IPSec VPN (172.24.64.0/24) CANNOT access IPs on
other-site LAN (172.24.32.0/24)
- IPSec rule "pass all" for source 172.24.64.0/24 exists
Systems connected via OpenVPN (172.24.48.0/24) CANNOT access IPs on other-site
LAN (172.24.32.0/24)
- OpenVPN rule "pass all" for source (172.24.48.0/24) exists
QUESTION
--------
Is there a way to get pfSense to route LAN2 (172.24.25.0/24), mobile IPSec
(172.24.64.0/24) clients and OpenVPN (172.24.48.0/24) clients to the other-site
LAN (172.24.32.0/24) that's connected via IPSec VPN and, if so, how?
FYI, I tried but couldn't figure out how to set up another static route between
"those other" subnets and the other-site LAN -- pfSense had a problem with
anything I attempted ... so, if that's the answer, please be specific about how
to do it.
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
