Multiple Site Meshing
-
Morning all,
Are there any recommended configurations for site meshing with Pf?
Under testing at the moment:
3x Sites
Core 1
Branch 1
Branch 2- Branch 1 & 2 are OpenVPN Clients of Core 1.
- Branch 1 is also a client of Branch 2.
- All three sites have a different subnet and these differences are reflected in the OpenVPN settings at server/core, and in the DNS records.
- Firewall rules between the sites are set explicitly for services required, all appears to work fine.
Is this fine in this configuration?
Thanks in advance.
-
Looks good. As you have done, I put the server end at the most main office and client at the remote office, because:
a) Main offices are in bigger towns, where the ISP is likely to actually allow incoming connections to services, and is likely to actually give me a public IP (and a static IP if I want it), and if a dynamic IP it might change less often.
b) The client end will find its way out, sourced from an ephemeral port similar to any other user - so it works fine in remote places where the ISP might not be so reliable at giving an actual public IP, or actually allowing incoming connections.
c) I don't have to rely on remote offices with dynamic IPs having actually successfully updated their dynamic DNS - since there is no server there to have to connect to. -
Excellent then.
At the moment the new link has been up for 2 days, want to give it until Friday before enabling the site links in AD too.Gotta love Pf at times. :D
-
If your site-to-site links are using failover between multiple WAN links, then you will also want to apply this change to a 2.1 system: https://github.com/pfsense/pfsense/commit/4bf23d320bc96eeabf2daf9024583f2cc5a6662a
which I mentioned in this thread: https://forum.pfsense.org/index.php/topic,73071.msg399034.html#msg399034This fix is in 2.1.1-prerelease, so it will be fixed for real in 2.1.1
-
Thanks for the info.
We arnt using multi-WAN link via PFSence, we another method for multi-WAN.
The three hosts are on 2.0.1 rather than 2.1 as a test system i did an upgrade to 2.1 on ended up breaking half the packages and needed a reinstall! :(
2.0.1 is working for now, "if it aint broke dont fix it" :p