Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    looking for advice on implementing site to site VPN

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 6 Posters 1.3k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • pzangaP Offline
      pzanga @jimp
      last edited by

      @jimp and @JKnott

      Thanks for the input. From my research so far, IPSec has seemed like the best solution for me. I will keep on reading, with a focus on IPSec.
      Wireguard did seem like an interesting solution that I was seriously looking at before it was removed from FreeBSD and pfsense. Seemed like a pretty straightforward configuration that would have met my needs. Once the current package is further along in development it is something I would like to revisit.

      Any further advice is still welcome. And I am sure I will have some more questions as I get closer to actually implementing.

      Thanks again.

      J 1 Reply Last reply Reply Quote 0
      • J Offline
        jlw52761 @pzanga
        last edited by

        @pzanga IPSec with VTI, then use BGP for the routing. Works really well and you can even push default routes using BGP, or just use Policy Based Routing (PBR) and gateway groups.

        1 Reply Last reply Reply Quote 0
        • pzangaP Offline
          pzanga @jimp
          last edited by

          @jimp @jlw52761

          Thought I'd give some quick follow-up since I finally had time to set this up.
          I went with IPsec using AES-GCM as suggested and enabled the SafeXcel module. I used tunnel mode for phase 2 as that seemed simplest at this point, given my knowledge/comfort level.
          The tunnel connects and I can ping the various devices (network printers, APs, managed routers, etc) at the remote site in either direction, i.e. Site A-->Site B or Site B-->Site A, as well as connect to their web UIs.
          However, I cannot ping any of the remote PCs (Windows 10, Windows Server 2012 R2) in either direction. I can ping them locally. I'm assuming it's not due to the firewall/pfsense since I can connect to anything not a PC. But never assume, right? IPsec firewall rules are configured to allow any/all on both sides.
          I'm just starting to dig into this, but I don't see anything obvious in the network settings on my PCs and haven't found any posts describing the same situation. I'll likely put up a new post once I have more info, but any thoughts on where to focus my efforts would be appreciated.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Typically that would be Windows firewall on the PCs configured to allow traffic only from their own subnet. Since you are now trying to connect from a remote subnet they reject it.
            You can test that by adding an outbound NAT rule on the pfSense LAN at the remote end. PCs will then see the traffic as coming from the pfSense LAN IP and allow it. That should be a test only though. If it works then add the remote subnets as allowed on the PCs you need to reach.

            Steve

            pzangaP 1 Reply Last reply Reply Quote 1
            • pzangaP Offline
              pzanga @stephenw10
              last edited by pzanga

              @stephenw10
              Thanks. That makes sense. From my researching so far it looks like Windows firewall is the likely culprit.
              I'm just not sure exactly how to configure the outbound NAT rule. I think it would be as follows:
              Site A=main office Site B=satellite (remote) office, setting up rule on pfsense at Site B

              Interface: IPsec
              Address family: IPv4 (we don't use IPv6)
              Protocol: Any
              Source: Network, Site B subnet 192.168.0.0/24
              Destination: Network, Site A subnet 192.168.0.0/24
              Translation
              Address: Interface address or other subnet? - this one I'm not clear on

              Appreciate any help.

              (edit - I hit submit before I was done)

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                In order to access a PC at site B from site A the OBN rule would have to be on the LAN interface at site B and match the traffic coming from site A. That way it translates the source IP to the site B LAN B IP and hosts there see it as coming from their subnet.

                Steve

                pzangaP 1 Reply Last reply Reply Quote 0
                • pzangaP Offline
                  pzanga @stephenw10
                  last edited by

                  @stephenw10
                  Thanks Steve. Pretty sure I get it now.
                  So the interface would be the LAN,
                  Source would be the Site A subnet,
                  Destination would be Site B subnet,
                  Address would be Interface address (the IP of the LAN).

                  I was making the mistake of thinking Outbound is always outbound to the internet, instead of outbound from the interface in question (i.e. traffic inbound from the internet to the WAN interface becomes outbound from the LAN interface to the LAN).
                  Would it be an oversimplification to say Inbound NAT is used to modify/change the destination of traffic across an interface, and Outbound NAT is used to modify/change the source of traffic across an interface? I don't see that as part of any definition I have found, but seems to be one way to look at it. But I digress from the topic at hand.

                  Thanks again.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Yes, outbound NAT is Source NAT. You might also see that as S-NAT in some places.

                    Further reading 😉 : https://www.freebsd.org/cgi/man.cgi?pf.conf(5)#TRANSLATION

                    Steve

                    pzangaP 1 Reply Last reply Reply Quote 1
                    • pzangaP Offline
                      pzanga @stephenw10
                      last edited by

                      @stephenw10
                      Thanks again. The test worked. So now I'll update the individual PCs as needed.

                      And thanks for the reading material. I really appreciate it.

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB Offline
                        bmeeks @pzanga
                        last edited by bmeeks

                        @pzanga said in looking for advice on implementing site to site VPN:

                        @stephenw10
                        Thanks again. The test worked. So now I'll update the individual PCs as needed.

                        And thanks for the reading material. I really appreciate it.

                        If your Windows devices are part of an Active Directory Domain, you can easily manage the Windows Firewall policies via Group Policy. Here's a link to some Microsoft documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security. What you will want to do is add "allow" rules for traffic inbound from your remote site networks.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.