1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

pfSense VPN router behind Tomato

Discussion in 'Tomato Firmware' started by WhiteWidow, Jun 25, 2014.

  1. WhiteWidow

    WhiteWidow Network Newbie Member

    Quick summery of what im trying to accomplish
    Im testing a Netgate pfSense router at home and wish to connect it behind my Shibby Tomato router as not to disrupt my normal home network set up. The VPN will be connected to my corporate location. I have configured the tunnel and have it working if the pfSense router is the gateway. The issue I have now is when I put the pfSense router behind my home tomato router, the VPN on both ends shows connected but I cannot ping the corporate network from the workstation at home I have connected to the pfSense router likewise from corporate to the pfSense subnet.

    Overview of network
    Motorola DOCSIS 3.0 Modem (192.168.100.1)

    Router 1 "Gateway" (192.168.0.1)
    Shibby Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB Big-VPN
    Static Route to pfSense router
    Destination Gateway / Next Hop Subnet Mask Metric Interface
    10.0.9.0 192.168.0.4 255.255.255.0 0 br0 (LAN)
    I have also put 192.168.0.4 in a DMZ in hope to open op all ports to the pfSense router
    NAT is set to ALL > MASQUERADE
    DHCP for the 192.168.0.0 network and DNS is handled by my Windows server for the devices in my home.

    Router 2 "pfSense" (LAN 10.0.9.254)
    WAN IP 192.168.0.4
    DHCP scope 10.0.9.10 - 10.0.9.245
    1 Workstation connected to the LAN (10.0.9.11)
    VPN to corporate shows a connection in pfSense on both ends but can not assess or ping either way
    Corporate is fine as it the other locations currently have a working VPN and I connect fine when the pfSense router is the gateway.
    Firewall has been opened to allow ANY connection on the WAN

    So now im suck. I thought the static route would allow packets through to the pfSense router but no luck. Im thinking its a NAT issue but im not sure. Any help would be appreciated. Thanks.
     
  2. lancethepants

    lancethepants Network Guru Member

    The only thing I can think of is to make sure packet forwarding is enabled.
    http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

    I would think that pfsense would have this on by default thought since it's a router OS. Something to check anyway.
    I also run a VPN daemon from behind the router, but in Debian packet forwarding is off by default.
    The static route looks fine to me, providing you gave it the right information. 10.0.9.0/24 network
    Maybe you could also show what 'netstat -rn' returns when running it on the router.
     
  3. lancethepants

    lancethepants Network Guru Member

    Re-reading through your post to make sure it made sense to me. Your workstation is connected behind the pfsense router you say? I think then that static routing shouldn't be necessary. This sounds more like a port-forwarding/firewall issue from the tomato router to the pfsense router. Not sure though what the issue could be since you have it with dmz and opened up pfsense wan you say.

    edit: what kind of vpn setup is it?
     
    Last edited: Jun 25, 2014
  4. WhiteWidow

    WhiteWidow Network Newbie Member

    netstat -rn from the pfSense router
    Routing tables

    Internet:
    Destination Gateway Flags Refs Use Netif Expire
    default 192.168.0.1 UGS 0 347005 re1
    10.0.9.0/24 link#3 U 0 800027 re2
    10.0.9.254 link#3 UHS 0 0 lo0
    127.0.0.1 link#14 UH 0 36 lo0
    173.XXX.64.XXX 192.168.0.1 UGHS 0 5273 re1
    192.168.0.0/24 link#2 U 0 19842 re1
    192.168.0.4 link#2 UHS 0 0 lo0

    Internet6:
    Destination Gateway Flags Netif Expire
    ::1 ::1 UH lo0
    fe80::%re0/64 link#1 U re0
    fe80::20d:b9ff:fe33:8758%re0 link#1 UHS lo0
    fe80::%re1/64 link#2 U re1
    fe80::9644:52ff:fea6:e6f3%re1 link#2 UHS lo0
    fe80::%re2/64 link#3 U re2
    fe80::20d:b9ff:fe33:875a%re2 link#3 UHS lo0
    fe80::%lo0/64 link#14 U lo0
    fe80::1%lo0 link#14 UHS lo0
    ff01::%re0/32 fe80::20d:b9ff:fe33:8758%re0 U re0
    ff01::%re1/32 fe80::9644:52ff:fea6:e6f3%re1 U re1
    ff01::%re2/32 fe80::20d:b9ff:fe33:875a%re2 U re2
    ff01::%lo0/32 ::1 U lo0
    ff02::%re0/32 fe80::20d:b9ff:fe33:8758%re0 U re0
    ff02::%re1/32 fe80::9644:52ff:fea6:e6f3%re1 U re1
    ff02::%re2/32 fe80::20d:b9ff:fe33:875a%re2 U re2
    ff02::%lo0/32 ::1 U lo0

    netstat -rn from the Tomato router
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    67.xxx.252.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 vlan2
    10.0.9.0 192.168.0.4 255.255.255.0 UG 0 0 0 br0
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    67.xxx.252.xxx 0.0.0.0 255.255.252.0 U 0 0 0 vlan2
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 67.xxx.252.xxx 0.0.0.0 UG 0 0 0 vlan2

    VPN is IPsec and as I said the testing pfSense router and the Corporate pfsense router show the VPN tunnel is connnected
     
    Last edited: Jun 25, 2014

Share This Page