----- "Curtis Maurand" <cmaur...@xyonet.com> wrote: > have a public IP on em1 > I have a private IP on em2 (10.0.1.10/24) > I have a private ip on OPT1 (10.201.17.1/28) > > Normally I would have the OPT interface in a DMZ, but constraints aren't > allowing me to do that so the OPT1 interface is also plugged in on the local > LAN as well. > > > I've assigned a secondary address on a linux machine on the same subnet as > OPT1 (10.201.17.3/28). The primary address on the linux machine is > 10.0.1.210/24 > > I have a VPN set up via the WAN interface to the subnet on OPT1 interface. > > the tunnel comes up perfectly. > > The linux machine can ping the primary interface on the pfsense machine. > The linux machine can ping a host on the other end of the tunnel reliably. > The linux machine can ping the OPT1 interface, but it is not reliable. Huge > packet loss numbers. > I can ping the host on the other end of the tunnel via the OPT1 interface. > > I've tried all sorts of different rules, but I'm allowing Any traffic and > protocol from the OPT1 subnet to the OPT1 interface and vice-verse. I've > allowed all traffic from anywhere and to anywhere on the opt one interface. > I'm at my wits end. I need two different subnets on my LAN and I need to > tunnel one of them. > > How do I make this happen? >
What happens if you take the VPN out of the mix... does the 'pingability' of OPT1 still perform the same? What kind of VPN are you using... IPSEC/OpenVPN? Did you assign two gateways to the Linux machine? Can you verify with a traceroute/tracepath that your traffic to the remote side of the tunnel is in fact passing via OPT1? --Tim
