0

I am stumped on this one, I appreciate any help with this scenario because this just seems odd.

We have 3 domain controllers:
DC1 - 192.168.1.2 - main office (LAN port of PFSense)
DC2 - 192.168.1.4 - main office (LAn port of PFSense)
PFSense - 192.168.1.1 Static IP on LAN port. Used as gateway for DC1 and DC2 and the rest of the LAN.
Gateway (RV082) - 192.168.3.1
|
Branch Office Gateway (RV082) - 192.168.0.1
DC3 - 192.168.0.101 - branch office connected via Gateway-Gateway VPN (Cisco RV082)

**Both DC1 and DC2 are able to ping an connect to DC3.
DC3 is currently able to ping and connect to DC1 but unable to ping or connect to DC2.**

The below tracert shows the paths taken from DC3. I can't figure out what that 172.*.*.* addresses are any why DC1 works but DC2 does not. Also can't figure out why connecting to both DC's takes a different path at hop #4.

**Tracert from 192.168.0.101 (DC3)**

Tracert 192.168.1.2 (DC1)
Tracing route to 192.168.1.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.0.2
2 6 ms 6 ms 6 ms 64-89-6-100.static.wntpr.net [64.89.6.100]
3 7 ms 18 ms 19 ms ras-180-5.wntpr.net [196.12.180.5]
4 12 ms 12 ms 12 ms 172.30.252.97
5 12 ms 12 ms 12 ms 192.168.1.2
Trace complete.

Tracert 192.168.1.4 (DC2)
Tracing route to 192.168.1.4 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.0.2
2 6 ms 6 ms 6 ms 64-89-6-100.static.wntpr.net [64.89.6.100]
3 6 ms 7 ms 7 ms ras-180-5.wntpr.net [196.12.180.5]
4 11 ms 11 ms 11 ms 172.30.253.125
5 172.30.253.125 reports: Destination host unreachable.
Trace complete.

Is there a PFSense configuration issue? Because we have been able to connect without any issues in the past.

Sean
  • 1

2 Answers2

1

Looks like you're missing a route, or have incorrect policy routing on your LAN rules forcing that traffic to the Internet, the traffic is going over the Internet rather than the VPN.

Chris Buechler
  • 2,938
  • 14
  • 18
  • The traffic that is going over the internet appears to successfully reach DC1 however. At this time, we do not have any rules set within PFSense besides allowing all LAN and WAN traffic through. – Sean May 25 '11 at 14:31
  • Thank you so much for your information. I actually was able to find out that our ISP router (located in our server room) seems to be the issue. They are working on it now. Our configuration seems to be okay. – Sean May 26 '11 at 20:18
0

Network unreachable usually means that the reporting system doesn't know how to get to the relevant network.

Host unreachable usually means that the reporting system can reach the network but not the host in question.

In your case, a host unreachable message may be a problem with a firewall service rule, NAT rule/table, a routing misconfiguration, or the ARP cache on the device reporting the message. My guess is that the 172.30.x.x addresses are the VPN endpoints on each side of the VPN connection. Find the endpoint that's using 172.30.253.125 and look at it's service rule set, NAT rule set, routing configuration, and dynamic and/or static ARP table.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thank you so much for your information. I actually was able to find out that our ISP router (located in our server room) seems to be the issue. They are working on it now. Our configuration seems to be okay. – Sean May 26 '11 at 20:19