Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is there a way to tunnel real IPs to a remote site?

    Routing and Multi WAN
    2
    12
    765
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TeknikL
      last edited by

      OK I got it working (mostly).

      I setup an openvpn tunnel between the pfsense firewalls with private network 10.99.99.0/24 and preshared key using tap device from SiteB to SiteA on the secondary cable non-BGP connection.

      From the internet I can ping 8.8.8.1 which is configured as a VirtualIP at SiteA being advertised at SiteB and then tunneled through the ovpn back to SiteA.

      BUT one last issue. The ping comes in from the Internet through SiteB, tunnels to SiteA and then SiteA replies but the replies go out through the default gateway at SiteA which obviously would be down in the scenario I'm trying to protect against. When I tracert to the internet from a workstation setup as 8.8.8.5 at SiteA it goes out the default GW at SiteA. this means the 8.8.8.5 IP is not reachable from the Internet with this configuration because the return traffic is not coming back over the ovpn and sent out SiteB.

      Any idea how to set a static route on SiteA pfsense to say "all traffic coming from 8.8.8.0/24 goes to 10.99.99.2(the local ovpn interface)" ?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Assign an interface to the OpenVPN instance at Site A and make sure the traffic is passed into Site A by rules on the tab for that assigned interface and is NOT matched by rules on the OpenVPN tab. That will give you reply-to on those states and reply traffic will go back out the interface on which it arrived (the OpenVPN).

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          TeknikL
          last edited by

          Do I need to use tap for the tunnel to do that? or is tun ok?

          do I just set no IP info on the created interface?

          I was heading that direction to do PBR but I dont know the specifics.

          1 Reply Last reply Reply Quote 0
          • T
            TeknikL
            last edited by

            So I added an interface for ovpns2 with no IP config on it.

            I added a FW rule on the vmx2 interface which has the 8.8.8.1 alias on it and put destination any, set the gateway in the advanced section to the OVPN2_GATEWAY_IPV4

            is that the right way to setup the PBR? I dont see anything in the routing table and it still goes out the default gw when I tracert to Internet from the test box on 8.8.8.5.

            any help would be appreciated, so close!

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Sorry. I forgot you were using TAP mode.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • T
                TeknikL
                last edited by

                I'm using tun mode with 10.99.99.1 on client side and.2 on server side.

                How do I setup pbr?

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  You might want to look at setting it up as a multi-wan, in which case all of the interface rule issues I enumerated above would need to apply (match on the interface tab, not the OpenVPN tab). Or if this is a manual failover just change the default gateway to the OpenVPN GW at site A.

                  You would just add 8.8.8.0/24 as a "Remote Network" on Site B OpenVPN configuration. That will put a route in the routing table for that subnet to the OpenVPN instance.

                  You might also look at just padding the AS Path for those routes at Site B so when Site A is up, the path is shorter and, therefore, the preferred route. But when those routes drop due to an outage, the Site B routes will already be advertised.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • T
                    TeknikL
                    last edited by

                    Yeah, I already have 8.8.8.0/24 setup as the remote network at SiteB. I can ping 8.8.8.1 from the internet which comes into SiteB, then tunnels through.

                    The issue is when I setup a PC on 8.8.8.5 with a gateway of 8.8.8.1, the traffic hits the SiteA firewall and then goes out the default gateway.

                    I'll PM you the config maybe that will help and I'll convert the outcome here for public consumption since there' real IPs in there.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Yeah what I have been talking about is for inbound connections into the routed subnet.

                      You will want to probably create a failover gateway group consisting of the WAN and OpenVPN at site A. That should route traffic from the 8.8.8.0/24 interface out OpenVPN when the WAN is down.

                      Try following this, treating the OpenVPN interface as another WAN: https://doc.pfsense.org/index.php/Multi-WAN

                      I am not sure how you have OpenVPN with a down WAN but you must somehow. :)

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • T
                        TeknikL
                        last edited by

                        I want the traffic to always be sent out the ovpn.

                        i have two gateways, but one of them is for the ovpn tunnel only it doesnt have BGP ability. its a cable modem not a fiber connection.

                        1 Reply Last reply Reply Quote 0
                        • T
                          TeknikL
                          last edited by

                          This is working now! I needed to add mssfix 1300 to both ends of the ovpn tunnel, and i forgot to put a default GW for the secondary internet connection the ovpn tunnel was running over.

                          I am able to tracert from "8.8.8.5" with gw 8.8.8.1 at SiteA and it goes through the ovpn tunnel and out the WAN at SiteB.

                          great success thanks for all the help.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.