I have an issue to access a subnet through VPN connexion.
I am currently experiencing an issue where traffic between my Office internal network and subnet on a machine over VPN client is not being routed correctly.
Specifically, clients on my LAN (10.0.0.0/13) cannot ping or traceroute to a specific host (10.200.99.23) on a different subnet. Only interface eno2 (10.200.99.7) on "machine gateway computer" is reachable.
Here is a detailed description of the network setup and the steps I have taken so far:
+---------------------+
| My computer |
--- ------------- <<< | 10.0.0.51/13 |
| | | |
| | +---------+-----------+
| | |
| | | (Office LAN 10.0.0.0/13)
| | |
| | v
| | +---------+-----------+
| | | pfSense |
| | | 10.0.0.1/13 |
| | | |
| | | (VPN Server) |
| | | 10.9.0.1/16 |<----
| | +---------+-----------+ |
| | | |
| | | |
| | v |
| | +---------+-----------+ |
| | | Modem 4G simulating | |
| | | Customer Net | |
| | | 192.168.1.1 | |
| | +---------------------+ |
| | | | (VPN Tunnel)
| | | | CSC assigned IP 10.9.200.99
| | | |
| | v |
| | +---------+---------------+ |
| | | Linux PC | |
| | | acting as Router | |
| | Ping OK | | |
| --------------> | 10.9.200.99 (tun0) | <-
| Ping OK |192.168.1.219 (eno1) WAN |
------------------> | 10.200.99.7 (eno2) LAN | >>> ------------
+---------+---------------+ |
| |
eno2 |
| |
| |
[Ethernet Switch 10/100] |
/ \ |
/ \ | Ping OK
/ \ | from
/ \ | 10.200.99.7
/ \ |
v v |
(ping/traceroute fails) (ping/traceroute fails) |
+--------------------+ +-------------------+ |
| OPC host | | HMI host | |
| 10.200.99.23 | | 10.200.99.22 | <-----
+--------------------+ +-------------------+
Network Setup:
- LAN Subnet: 10.0.0.0/13
- VPN Subnet: 10.9.0.0/16
- Problematic Subnet: 10.200.99.0/24
- Host with Issues: 10.200.99.23
- Host without Issues: 10.200.99.7 (fixed IP of the eno2 interface)
OpenVPN Configuration:
Server custom config:
route 10.200.99.0 255.255.255.0 10.9.200.99 1
Client Config (user meg200099):
iroute 10.200.99.0 255.255.255.0
ifconfig-push 10.9.200.99 255.255.255.0
push "route 10.200.99.0 255.255.255.0 10.9.200.99"
pfSense Routing Table:
default 192.168.67.1 UGS 6 1500 vtnet2
...
10.200.99.0/24 10.9.200.99 UGS 11 1500 ovpns1
...
Linux PC (acting as Router) Configuration:
- eno1 is WAN port connected to customer LAN
- eno2 is internal machine LAN port
Routing Table:
default via 192.168.1.1 dev eno1 proto dhcp src 192.168.1.219 metric 100
10.0.0.0/13 via 10.9.0.1 dev tun0
10.9.0.0/16 dev tun0 proto kernel scope link src 10.9.200.99
10.200.99.0/24 dev eno2 proto kernel scope link src 10.200.99.7
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.219 metric 100
192.168.1.1 dev eno1 proto dhcp scope link src 192.168.1.219 metric 100
Firewall Rules:
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i tun0 -o eno2 -j ACCEPT
-A FORWARD -i eno2 -o eno1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eno1 -o eno2 -j REJECT --reject-with icmp-port-unreachable
COMMIT
NAT Rules:
*nat
:PREROUTING ACCEPT [21:1916]
:INPUT ACCEPT [2:156]
:OUTPUT ACCEPT [54:3283]
:POSTROUTING ACCEPT [51:3060]
-A POSTROUTING -o eno1 -j MASQUERADE
COMMIT
Problem Description:
When I try to ping or traceroute from a client on the LAN (10.0.0.51/13) to the host 10.200.99.23, the packets do not reach the destination. However, I can ping 10.200.99.7, which is the fixed IP of the eno2 interface on the same subnet, without any issues.
Traceroute Output:
tracert 10.200.99.23
1 <1 ms <1 ms <1 ms rt1.fesp.ad [10.0.0.1]
2 86 ms 103 ms 51 ms 10.9.200.99
3 * * * Délai d’attente de la demande dépassé.
...
Steps Taken:
Moved the REJECT rule to the end of the iptables rules.
Added an explicit rule to allow forwarding from tun0 to eno1.
Verified routes and connectivity within the 10.200.99.0/24 subnet.
Checked syslog and firewall logs for any dropped packets or errors.
Observations:
The route 10.200.99.23C appears in the OpenVPN server routing table when attempting to ping from 10.0.0.51.
Continuous pings from 10.200.99.23 to 10.200.99.7, 10.0.0.1, and 10.9.200.99 show responses after a few seconds, except for the initial attempts which fail.
I am seeking assistance to diagnose why 10.0.0.0/13 clients cannot reach 10.200.99.23 while they can reach the eno2 interface with IP 10.200.99.7. Any insights or suggestions on how to resolve this routing issue would be greatly appreciated.
I'm sure the issue is near the linux computer acting as router which one has 2 ethernet ports and running Linux Ubuntu 22.04.
I think something is to find near "bridging" eno2 with tun0 !? But how ?!
Thank you in advance for your help!
