Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    /29 setup help

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 911 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      vegastech
      last edited by

      Hey!

      I'm trying to reduce the area that remote site #2 has to site #1. There are holes in my networking knowledge. So, I'm not sure if this is a design problem or an implementation problem. With both IPSEC networks set to /24, access on each side everything works fine. When I try to nibble it down to a /29 section at site1 I'm having trouble. The nibbled down site1 segment should be 192.168.11.33-38 from site2's point of view.

      Site 1

      • LAN 192.168.100.1/24
      • some PCs that site 2 needs access to 192.168.100.36, 192.168.100.38
      • pfSense 2.2.6

      Site 2

      • LAN 192.168.118.1/24
      • VPN to site 1 is 192.168.100.33/29, defined in the IPSEC phase2 portion
      • pfSense 2.3.1

      Some things I'm looking for guidance on

      • I imagine I need to define 192.168.100.33 /29 as a gateway? If so, I saw something about virtual adapters, would that work?
      • Site1 will stay at /24 and I'd like to have multiple remote sites accessing dedicated areas, so multiple /29 segments

      Let's start here. Ask for more details as needed - I'm not sure what other info is pertinent.

      Thanks!
      Rich

      1 Reply Last reply Reply Quote 0
      • V Offline
        vegastech
        last edited by

        In the IPSEC phase2 config I'm setting

        Phase2> General Settings> Remote Network 192.168.100.33 /29

        thinking that will give site2 access to only 192.168.100.33-38 at site1, can someone confirm this?

        1 Reply Last reply Reply Quote 0
        • V Offline
          vegastech
          last edited by

          Hmm, Virtual IP was straight forward.

          I created a VIP, chose LAN, set it to 192.168.100.33 /29 Now when I'm at the remote site2 I can web to 100.33 and I see site1's pfSense router. Does this actual route though?

          1 Reply Last reply Reply Quote 0
          • V Offline
            vegastech
            last edited by

            Argh, some silliness on my side. I had to change the PCs at site 1 so their

            IP 192.168.100.36
            subnet mask 255.255.255.248
            gateway 192.168.100.33

            Still not perfect, but, I'm listing my steps for others.

            1 Reply Last reply Reply Quote 0
            • V Offline
              vegastech
              last edited by

              OK, now I'm confused. I was connecting site2 to a test network (I didn't want to test on production network), let's call it site1B. The same setup works when I try to connect to a W7 RDP on site1B but when I try to connect to a W2K12R2 RDP Site1 no go.

              1 Reply Last reply Reply Quote 0
              • V Offline
                vegastech
                last edited by

                Hmm, this doesn't seem to be the solution I was expecting. From Server36 (192.168.100.36 /29) I can still ping all of the devices on 192.168.100.0 /24. I'm guessing the VIP is allowing that since it is really going to 192.168.100.1 /24 and that routes to the entire segment.

                Is there a better solution? In a prefect world I would like Server36 (192.168.100.36 /29) to be able to access NAS40 (192.168.100.40 /24) so I can do backups but not see anything else.

                1 Reply Last reply Reply Quote 0
                • dotdashD Offline
                  dotdash
                  last edited by

                  I'm a little confused about what you are doing. If you want to connect machines in site 2 to some of the machines in site 1, just make the phase 2 match 192.168.100.32/29. Don't know why you are changing gateways, etc. Anything on site 1's LAN is going to be directly connected, messing with your subnet masks is not the way of it. If you want to restrict traffic between machines on the LAN, put them on different interfaces/subnets.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.