Tim Nelson wrote:
----- "Curtis Maurand" <[email protected]> wrote:
> have a public IP on em1
> I have a private IP on em2 (10.0.1.10/24)
> I have a private ip on OPT1 (10.201.17.1/28)
>
> Normally I would have the OPT interface in a DMZ, but constraints
aren't allowing me to do that so the OPT1 interface is also plugged in
on the local LAN as well.
>
>
> I've assigned a secondary address on a linux machine on the same
subnet as OPT1 (10.201.17.3/28). The primary address on the linux
machine is 10.0.1.210/24
>
> I have a VPN set up via the WAN interface to the subnet on OPT1
interface.
>
> the tunnel comes up perfectly.
>
> The linux machine can ping the primary interface on the pfsense machine.
> The linux machine can ping a host on the other end of the tunnel
reliably.
> The linux machine can ping the OPT1 interface, but it is not
reliable. Huge packet loss numbers.
> I can ping the host on the other end of the tunnel via the OPT1
interface.
>
> I've tried all sorts of different rules, but I'm allowing Any
traffic and protocol from the OPT1 subnet to the OPT1 interface and
vice-verse. I've allowed all traffic from anywhere and to anywhere on
the opt one interface. I'm at my wits end. I need two different
subnets on my LAN and I need to tunnel one of them.
>
> How do I make this happen?
>
What happens if you take the VPN out of the mix... does the
'pingability' of OPT1 still perform the same? What kind of VPN are you
using... IPSEC/OpenVPN? Did you assign two gateways to the Linux
machine? Can you verify with a traceroute/tracepath that your traffic
to the remote side of the tunnel is in fact passing via OPT1?
--Tim
It got worse after I wrote. I'm going home for the weekend and I'm
going to deal with it on Monday.
--Curtis
