Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    L2 Site-to-Site VPN with conflicting networks

    OpenVPN
    3
    5
    571
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sumo-- 0
      last edited by

      Hello all,

      Firstly, I am new to PFSense and trying to get familiar with it as I inherited a setup with 2 PFSense FWs and I'm trying to understand L2 Site-to-Site VPN with bridged interfaces and issues with the same network on both sides of VPN.

      Scenario:

      • Site A with PFSense and network 192.168.1.0/24

      • Site B with PFSesne and same network as Site A

      • there is an OPENVPN, site-to-site created between these sites

      • the VPN is a L2 type of VPN

      • there is a vpn interface (ovpns) and LAN interface that are grouped in a bridge interface on both site ( I do not understand the purpose of this at all)

      • there is an on-prem DNS on Site A

      Now, from what I know about VPNs, the network on both sides should be different to work properly.... What I experience with this set up is a randomly users' traffic is pushed either via VPN or directly.. When they go through VPN, all works fine except the access to internet (looks like DNS is not reachable properly so can't access internet etc.... Sometimes a user get proper access to everywhere but that will change after several hours (probably some timers expires and a session is reinitiated or smthing like that) and after that, it may change again.

      The guy who did set up it this way recently is not available anymore ... but claimed it should be working fine...Could not really argue with him as I've never had a chance to work with PFSense until now.

      I'm wondering, ...is PFSense capable of working fine with the set up described above? Could L2VPN + bridged interfaces help to deal with conflicting networks on VPN? Looks like L2 works fine (there are thin clients on Site B that are connecting to Site A server and they work with no issues). However, for me it looks like the routing of traffic is really messed up and it depends on a "luck" of a device to create a proper session over VPN.

      I will be thankful for any advice on this scenario.... I plan to change the network on Site B but it is not so easy until I do proper audit of all services and dependencies between site A and site B.... Until then, I need to deal with the existing set up... :/

      M JKnottJ 2 Replies Last reply Reply Quote 0
      • M
        marvosa @sumo-- 0
        last edited by marvosa

        @sumo-0 Can a bridged solution (TAP) work, yes, but it doesn't scale well and you have to have a plan for addressing some of the exact issues you're describing. The only reason to deploy a bridged solution is if there's a specific application in use that relies on broadcast traffic.

        Are there things that can be done... sure... e.g. blocking dhcp traffic (or using one server for both sites), NATing traffic that traverses the tunnel, 1-to-1 NAT's, VIP's, etc, etc. However, I'd recommend moving both sites (or at least 1) off of 192.168.1.0/24 (it's too common for SOHO routers)... and deploying a routed solution. You'll be much happier with the performance and the functionality.

        S 1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @sumo-- 0
          last edited by

          @sumo-0 said in L2 Site-to-Site VPN with conflicting networks:

          The guy who did set up it this way recently is not available anymore ... but claimed it should be working fine...Could not really argue with him as I've never had a chance to work with PFSense until now.

          You cannot have the same subnet at both ends of a VPN. I ran into this years ago, when I did a lot of travel with my work.

          Did that guy put the same subnet at both sites? Jeez, what a genius! While you may be able to do something with NAT, the best solution is to change one of the LANs, so that it has a different subnet.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          S 1 Reply Last reply Reply Quote 0
          • S
            sumo-- 0 @marvosa
            last edited by

            @marvosa ... there are some very old devices in the network (like dot matrix printers, etc) that I would say relay on broadcast.... so that could be the reason... but I'm not 100% sure yet... I've tried to set up 1:1 NAT but was not working properly - I've also found some forums that mentioned that 1:1NAT is not good for some protocols (like win share drives, etc which are used in our set up) so I've removed that configuration....

            What are VIPs? and how could they help with conflicting networks pls?

            1 Reply Last reply Reply Quote 0
            • S
              sumo-- 0 @JKnott
              last edited by

              @jknott ... that is the plan - change the network at the new site (site B).... The guy was supposed to prepare the new site to be up and operational, however, it has never worked properly and he left without fixing all those issues..... so I'm trying to help there.... :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.