Routing between two pfsense firewalls connected by fiber
-
Let me rephrase the vpn :)
it's a fixed tunnel between the two sites over fiber.
Both ends have a lightning edge for fiber to utp.there is no internet traffic, just a tunnel between the two sites.
At both sides connected to eth5.
at site A the eth5 has 192.168.50.2 as ip and at site B eth5 has 192.168.50.1 as ip.
I can ping both from each site.
So the tunnel is working.So it's not a vpn tunnel setup on either pfsense boxes.
-
Have you allowed traffic from VPN to LAN1/LAN2, ie (on Site A) 192.168.50.x to 192.168.1.x/192.168.2.x and similarly on Site B?
Do the logs show anything when you try and ping between sites?
-
On both sites i allow:
vpn net to lan1 net
lan1 net to vpn net
lan1 to 192.168.10.0 network (and the 1.0/2.0/11.0)
192.168.10.0 network (and the 1.0/2.0/11.0) to lan1 (lan2 etc)i have rules allowing vpn to lanx and lanx to lany etc on any protocol.
logs show nothing.
I have the lan1 to 192.168.x.0/24 network set to logging.
just when i ping, nothing (not blocked or passed) shows in the log.
i do use the ping util in pfsense to ping the other site.so what i basicly allow is:
Site A: eth1 (lan1) to eth5 (tunnel) to Site B: eth5 (tunnel) to eth1 (lan1 remote network).
i also allow eth1 (lan1) to eth1 (lan1 remote network) in a rule. -
i believe your static routes are flawed…. i would think your gateway, is the
hostpfsense on the other end.try this:
site-aeth5 = vpn (interface ip 192.168.50.2)
gateway
192.168.50.2as route to Site B
static route to 192.168.10.0/24 using gateway192.168.50.2
statis route to 192.168.11.0/24 using gateway192.168.50.2change "192.168.50.2' –> '192.168.50.1'
site-b:
eth5 = vpn (interface ip 192.168.50.1)
gateway
192.168.50.1as route to Site A
static route to 192.168.0.0/24 using gateway192.168.50.1
statis route to 192.168.1.0/24 using gateway192.168.50.1change "192.168.50.1' –> '192.168.50.2'
hope it helps
mvg
jeroen -
i tried to change the ip's for the gateways, still no luck.
i did notice just yet (by testing the change to the gateway ips) that if i use the diagnostic ping from pfsense and i choose destination 192.168.10.1 and set the source to lan1 net.
I get the following reply:PING 192.168.10.1 (192.168.10.1) from 192.168.1.254: 56 data bytes
it looks like it's using the 192.168.1.254 as gateway for the 192.168.10.0 network instead of the 192.168.50.2 (or is this correct and am i seeing thing wrong :))
When i select the vpn tunnel net as source i can't ping the 192.168.10.1 addres either, but is show the correct gateway: PING 192.168.10.1 (192.168.10.1) from 192.168.50.2: 56 data bytesit seems i can also ping the 192.168.50.1 from the 192.168.50.2 (and the other way around)
I can't ping the 50.x adresses from any other interface on the other site.Is the routing not using the right gateway here?
-
did you flush states after changing the static routes ?
are you combining gateway with static routes for some reason ?
what i was trying to ask, is if you are using policy-routing in your firewall-rules, that contradict the "natural flow' of your static routes? ;) -
i did reset states.
There is one default gateway (wan side)
Then there is a gateway for the route.on site A, lan1 there is a rule:
protocal = any
source = lan1 net
destination = 192.168.10.0/24 networkAt the bottom the gateway for this rule is the extra gateway (192.168.50.2 for site A)
So at Site A there is a second gateway called ToSiteB and the gateway adres is 192.168.50.2
There is a route network 192.168.10.0/24 using gateway ToSiteB (192.168.50.2) on interface eth5 (the tunnel nic)At Site B there is a second gateway called ToSiteA and the gateway adres is 192.168.50.1
There is a route network 192.168.1.0/24 using gateway ToSiteA (192.168.50.1) on interface eth5 (the tunnel nic).obviously there is something wrong or missing (or the tunnel isn't working like it should although i can ping eth5 ip's from either site).
to me right now all config and rules seem fine though :) -
as i tried to explain in the previous post:
(site-A: 192.168.50.2)–---------------------------------------------------------------------(site-B:192.168.50.1)
| |
LAN 192.168.1.x LAN 192.168.10.x
LAN 192.168.2.x LAN 192.168.11.xon site-A:
modify/create the gateway for the fiber interface from 192.168.50.2 TO 192.168.50.1on site-B
modify/create the gateway for the fiber interface from 192.168.50.1 TO 192.168.50.5also remove any policy-routing the firewall rules (the gateway-selection at the advanced section)
-
Be careful with the firewall rules, the allow rules should be on the interfaces that serve as a link.
For troubleshooting purposes I suggest to place an allow all rule on those interfaces
-
I've changed that and now i can ping the interface (eg 192.168.10.1) on the other pfsense.
I can't however ping any client in that lan (eg 192.168.10.10). -
so to summerize:
client_LAN-A:
-ping to 192.168.50.1 = OK
-ping to 192.168.10.1 = OK
-ping to 192.168.11.1 = OK
-ping to 192.168.10.10 = Not OK
-ping to 192.168.11.10 = Not OKclient_LAN-B:
-ping to 192.168.50.2 = OK
-ping to 192.168.1.1 = OK
-ping to 192.168.2.1 = OK
-ping to 192.168.1.10 = Not OK
-ping to 192.168.2.10 = Not OKIs this the current situation?
-Is there firewalling-software running on the clients?
-Do the clients have pfSense set as their default gateway in their network settings?
-Try running a "packet capture" on one of your LAN interfaces (specify a lan_client as host-address). Try to figure out what is happening to the pings.I'm guessing the pings arrive at the destination, but the reply gets lost somewhere.
-
-Is there firewalling-software running on the clients?
I bet this is the issue. By default, the Windows firewall allows ICMP only from within its own subnet