MPLS Routing
-
@rustydusty1717 I was hoping to disable the IPsec after hours and test routing things over the MPLS. Once I can verify everything functions the IPsec won't be needed anymore.
-
@rustydusty1717 if you disable IPsec how will you connect to the remote side? I assume you have some sort of cutover plan.
In any event, if there is only one path then static routing will be all you need -
@michmoor whats the best way to setup the static routes? Haven't had to do them before in pfsense.
-
@rustydusty1717
https://docs.netgate.com/pfsense/en/latest/routing/static.html#static-routes -
So I've added 192.168.60.0/24 (LAN on other side) to the static routes, disabled the IPSec tunnel and not able to reach across the MPLS. Do I also need to add static routes for the MPLS networks on both sides as well?
-
@rustydusty1717 So you created a gateway as well? Can you ping across the MPLS - from pfsense to pfsense?
-
@michmoor correct I have my WAN gateway and then OPT as the 2nd gateway for the MPLS. I can ping the MPLS on the other end. Just can't reach anything on the LAN on other side. Wondering if my static routes are wrong or if I need to do anything with outbound NAT.
-
@rustydusty1717
Do you have firewall rules that state that your LAN can reach the network 192.168.60.0/24? What do those rules look likeAre you gateways UP?
Can you ping from your pfsense ? So log in to your pfsense via ssh. From the CLI initate a ping. so ping 192.168.60.1 [if thats an address on the other side[ -
@michmoor can ping the MPLS gateway on the other end however not the firewall or LAN on other end. It's not a pfsense/netgate unfortunately.
-
@rustydusty1717 Does the MPLS side have a route back?
-
@michmoor yes it does. Should outbound NAT be turned off?
-
@rustydusty1717 Whatever you are NATting to, the other side must know how to get back to that IP.
If this is a site 2 site link generally NAT wouldnt be needed but depends on your design. -
@michmoor said in MPLS Routing:
If this is a site 2 site link generally NAT wouldn't be needed but depends on your design.
So we are able to now reach each LAN on both sides but any remote site (OpenVPN site to site) can't reach the LAN MPLS on other side.
What's weird is using the old IPsec instead of MPLS it all works fine. The OpenVPN site to site's already have the LAN of the other side of the MPLS. Besides doing static routing at my primary site for the LAN on other side of MPLS it should all work, no?
Doing tracert from a remote site on my side hits the OpenVPN assigned tunnel network then fails. Revert back tp IPsec and routing works perfect.
-
@rustydusty1717 anyone have any ideas? Would a diagram help?
-
@rustydusty1717 Accurate, comprehensive, numbered diagrams always help.
