Sorry about that. I wrote that huge blob at 3:30 AM. It makes me cringe just looking at it.<div><br></div><div>Below is the network diagram.</div><div> </div><div> <a href="http://72.15.16.176/29">72.15.16.176/29</a> OpenVPN</div>
<div> <a href="http://208.62.71.47/29">208.62.71.47/29</a> switch (1-12) | </div><div> <a href="http://10.28.6.0/24">10.28.6.0/24</a> ---------+---------+ +--------------------+</div>
<div> | vlan1 | eth0 (public)| Untangle1 | eth1 (LAN) <a href="http://192.168.0.0/24">192.168.0.0/24</a></div><div> +---------+----------------------+ +--------------------------------------+</div>
<div> | | |</div><div> +--------------------+ |</div>
<div> switch (13-24) |</div><div> +---------+-------------------------------------------------------------------------------------+ </div>
<div> | vlan2 |</div><div> +----+---+-----LAN clients</div><div><br></div><div>The Untangle box is acting as a NAT gateway for the <a href="http://208.62.72.47/29">208.62.72.47/29</a> public addresses (changed).</div>
<div><div>It also does routing from the LAN to the <a href="http://10.32.7.0/24">10.32.7.0/24</a> network. </div></div><div>There is also a bridging firewall/IDS but I didn't put it there.</div><div><br></div><div>Here is the routing table (changed a bit) for the Untangle box:</div>
<div><br></div><div>~ # netstat -r </div><div>Kernel IP routing table</div><div>Destination Gateway Genmask Flags MSS Window irtt Iface</div>
<div>172.16.0.2 * 255.255.255.255 UH 0 0 0 tun0</div><div>72.15.16.176 * 255.255.255.248 U 0 0 0 eth0</div><div>208.62.71.47 * 255.255.255.248 U 0 0 0 eth0</div>
<div>192.168.1.0 172.16.0.2 255.255.255.0 UG 0 0 0 tun0</div><div>172.16.0.0 172.16.0.2 255.255.255.0 UG 0 0 0 tun0</div><div>192.168.0.0 * 255.255.255.0 U 0 0 0 eth1</div>
<div>10.28.6.0 10.28.6.1 255.255.255.0 UG 0 0 0 eth0</div><div>10.28.6.0 * 255.255.255.0 U 0 0 0 eth0</div><div>192.0.2.0 * 255.255.255.0 U 0 0 0 dummy0</div>
<div>192.0.2.0 * 255.255.255.0 U 0 0 0 utun</div><div> </div><div>I can ping any of the 10.28.6.x addresses directly from the LAN.</div>
<div>I can also ping anything on the Internet from the LAN.</div><div>I can't ping any of the 10.28.6.x addresses from the VPN connection.</div><div><br></div><div>My question was:</div><div><br></div><div>Is it possible for the VPN clients to get a route from the <a href="http://172.16.0.0/24">172.16.0.0/24</a> network to the</div>
<div>to the <a href="http://10.28.6.0/24">10.28.6.0/24</a> network through OpenVPN (don't know much about OpenVPN)?</div><div><br></div><div>I finally heard back from the Untangle folks, and it looks like there is a way to do that;</div>
<div>it's just that the Untangle GUI doesn't have an option for pushing routes to the clients.</div><div><br></div><div>As long as we can access the <a href="http://10.28.6.0/24">10.28.6.0/24</a> network from the LAN, that's good enough.</div>
<div><br></div><div><br></div><div><div class="gmail_quote">On Sat, Sep 10, 2011 at 5:40 PM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
On Sat, 2011-09-10 at 03:49 -0400, David Hillman wrote:<br>
> At work, we are using Untangle as the main router/gateway for our LAN, it's<br>
> mainly for the ease with which it does OpenVPN configuration. The Untangle<br>
> box has two networks coming in on the public interface. One of the networks<br>
> goes out to a T1 connection with 10 public IPs. The other network goes to<br>
> another internal router that our main network guys manage. The Untangle box<br>
> only has two interfaces, but it is sitting behind a switch with multiple<br>
> VLANs. I was able to add aliases for all of the IPs we have on both<br>
> networks and a static route to the network controlled by the internal<br>
> router; the default gateway on the Untangle box is set to the managed router<br>
> for the T1 connection. Everything seems to work fine on the LAN, but none<br>
> of the OpenVPN clients can reach the network that is controlled by our other<br>
> internal router. I am guessing that's because the information about that<br>
> static route isn't known by any of those clients. VPN clients can hit any<br>
> of the machines on the LAN behind the Untangle box. My issue is how do I<br>
> add the route to the other network without messing things up. I would<br>
> prefer to add the route to the Untangle server and than push that the<br>
> clients. Lord knows how I would get my iPad to handle a static route over<br>
> OpenVPN.<br>
<br>
I've read that paragraph a half a dozen times and I still have only a<br>
vague notion of what you are describing.<br>
<br>
DRAW A PICTURE. Even if it's ascii art. I tried drawing a network<br>
diagram from what you described in that solid block of words above and<br>
failed. About 1/3 of the way through the paragraph, I'm lost in a cloud<br>
of words going "what was that again?"<br>
<br>
1) Draw a picture showing us what you have and describe it.<br>
<br>
2) Tell us what you want to do.<br>
<br>
3) Tell us what your observations are.<br>
<br>
4) Tell us what your thoughts are based on the above.<br>
<br>
5) Do it in separate paragraphs.<br>
<br>
I think that paragraph above should be at least 4 paragraphs (plus a<br>
drawing) and then you might have a better shot at getting an answer.<br>
<br>
> For testing purposes, I tried logging into the Untangle box and setting the<br>
> route there, but I got a weird "SIOCADDRT: no such device" error. This is<br>
> the command that I used:<br>
<br>
> route add -net <a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a> 192.168.0.1<br>
<br>
That error generally means you tried to add a route through a gateway it<br>
did not know how to route through. But... Don't you have another error<br>
in there. Shouldn't that command be:<br>
<br>
route add -net <a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a> gw 192.168.0.1<br>
<br>
Note the missing "gw". In the terms of the more modern ip command:<br>
<br>
ip route add <a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a> via 192.168.0.1<br>
<br>
You might try the ip command as well. It might give you a better (or at<br>
least different) error.<br>
<br>
<br>
You'll also need to show us the output from:<br>
<br>
netstat -nr<br>
<br>
- or -<br>
<br>
ip route ls<br>
<br>
My guess would be it doesn't know how to route to 192.168.0.1 but,<br>
without seeing the routing table, that's a wild ass guess.<br>
<br>
> Maybe I am misunderstanding how OpenVPN routing works, but according to the<br>
> routing table, 172.16.0.0 is the network that tun0 uses. However, I was<br>
> given a 192.168.5.x IP address when I logged in through OpenVPN. It<br>
> shouldn't matter, as long as my local machine knows how to handle the route<br>
> to the other network. 192.168.0.1 is the IP address for the Untangle<br>
> router.<br>
<br>
> Can anyone clear this up?<br>
<br>
I don't even know how to start with a clearer idea of what you have and<br>
what you are trying to do.<br>
<br>
Regards,<br>
Mike<br>
<font color="#888888">--<br>
Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
</font><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br></div>