management interface client-pf

[kneh]

I want to use openvpn as a central router for servicing automation networks.
For this I use client-to-client and the client-pf of the management interface.

In general.
Systems are behind an openvpn client that automatically connects to the router (periodically).
Engineers use openvpn clients and connect to the same router.
Systems and Engineers all have their own certificate by which they can be identified.

To control the traffic I planned to make use of the management interface client-pf feature.
I have client-to-client enabled.
I deny any traffic, except between One system and zero or more Engineers.
Engineers can never be connected to multiple Systems at the same time.
Systems never connect to systems.

Eg. when connecting engineer_A to system_A
system_A gets:

Code: Select all

[CLIENTS DROP]
engineer_A
[SUBNETS DROP]
[END]

And engineer_A gets:

Code: Select all

[CLIENTS DROP]
system_A
[SUBNETS DROP]
[END]

And system_B gets:

Code: Select all

[CLIENTS DROP]
[SUBNETS DROP]
[END]

Then later when I want to let engineer_A connect to system_B I make sure that:
(Openvpn is not restarted here)

system_A gets:

Code: Select all

[CLIENTS DROP]
[SUBNETS DROP]
[END]

and engineer_A gets:

Code: Select all

[CLIENTS DROP]
system_B
[SUBNETS DROP]
[END]

and system_B gets:

Code: Select all

[CLIENTS DROP]
engineer_A
[SUBNETS DROP]
[END]

Now my problem is that:
Initially engineer_A can ping the network behind the client of system_A.
But When I change to engineer_A <=> system_B, engineer_A cannot ping the network of the client behind system_A or system_B.
However when I change back to engineer_A <=> system_A, engineer_A can access the network behind the client of system_A again.
Always the first configuration since the start of the openvpn server works.

Any ideas what's going wrong here?

Thanks in advance,

Henk