Routing between multiple sites

heper

you are probably missing a return route somewhere. not enough information to go on.

best to draw up a detailed schematic ( = no ascii art) with all the subnets involved. also provide the (redacted) routing tables on all sites

amundae

Will do, I'll work on nice shiny schematic

chpalmer

@jahonix:

@chpalmer:

Id also be curious about running an OpenVPN connection across the MPLS circuit.

Out of sheer curiosity: what problems can arise from that combination (and why)?

I probably need to reword that..

Id be curious if creating an OpenVPN tunnel inside the MPLS circuit between the two boxes wouldn't easily solve the routing problem..  :)

chpalmer

@amundae:

All VPN interface rules are allow any to any.

Nothing, it just dies without getting blocked.

Ive had issues in the past with Any/Any firewall rules although I didn't stick around long enough to diagnose so it was probably something else at the time..  But I tend to always get specific these days.  YMMV.

You could always try the Routed Package on the two machines and see if that doesn't help.  Use the MLPS interfaces.

amundae

Ok here's the diagram: https://www.lucidchart.com/invitations/accept/abf0f5c5-d92b-4c5b-9d8b-a527a746765d

chpalmer

@chpalmer:

You could always try the Routed Package on the two machines and see if that doesn't help.  Use the MLPS interfaces.

Was in a hurry so spit this out too quick..

Save your configs.

Put the Routed package on both SEAFW1  and PDXFW1.

Set up Routed on both machines to be on their MLPS interfaces.

Routed will allow the machines to advertise their subnets to the other machine much the way that the OpenVPN config is doing between PDXFW1 and SLCFW1.

Get rid of the static routes.

Im assuming each router has its own local internet connection.. ?

Derelict

@amundae:

Ok here's the diagram: https://www.lucidchart.com/invitations/accept/abf0f5c5-d92b-4c5b-9d8b-a527a746765d

No. Not going to create an account there just to view your diagram.

amundae

@Derelict:

@amundae:

Ok here's the diagram: https://www.lucidchart.com/invitations/accept/abf0f5c5-d92b-4c5b-9d8b-a527a746765d

No. Not going to create an account there just to view your diagram.

Oh my apologies, didn't realize it would make you make an account, see the attached image.

Derelict

Your MPLS needs to know about the routes to SLC. Is the traffic for the networks at SLC even arriving at PDX from SEA?

amundae

Hi All, this was finally fixed today. The issue was that an old IPSEC connection to SLC was still set to enabled on the SEA router and was screwing up routing.

Interestingly this never was shown in the system routing table which is frustrating.

Anyway it is fixed now. Thank you all for your help!

Derelict

@amundae IPsec traffic selectors are not in the routing table because they are not routes.

https://forum.netgate.com/topic/131420/routed-ipsec-using-if_ipsec-vti-interfaces