Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to make Windows servers use pfSense VPN?

    Scheduled Pinned Locked Moved IPsec
    7 Posts 2 Posters 969 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fbackes
      last edited by fbackes

      Hello,

      I'm in no way a network specialist, but I have to set up a site2site VPN to one of our customers to query an Oracle DB.

      To be ready for this I first tried to set up a test environment with a new machine running pfSense and an Azure VPN.

      We have several dedicated Windows 2016 servers running in a datacenter. Each of them has a public IP and is connected to the internet through a datacenter router/gateway. All of them also have a second NIC, which connects them to a dedicated LAN (169.254.0.0/16) via a dedicated switch.

      The pfSense machine also has two NICs for WAN and LAN access, using the same datacenter gateway and connected to the same LAN.

      I also set up a Virtual Network and a VPN in Azure. The VPN can successfully connect to the pfSense machine. Ther are two virtual servers in the Virtual Network (subnet 168.124.1.0/24).

      I'm not able to see (ping, rdp, telnet etc.) the Azure servers from the datacenter and vice versa. How can I make the datacenter servers use the tunnel? Do I have to set static routes?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @fbackes said in How to make Windows servers use pfSense VPN?:

        which connects them to a dedicated LAN (169.254.0.0/16) via a dedicated switch.

        169.254 is not a routable network.. If your trying to get those networks to talk to each other.

        (subnet 168.124.1.0/24).

        You can not just pull IP space out of thin air and use it.. You own that space?
        NetRange: 168.124.0.0 - 168.124.255.255
        CIDR: 168.124.0.0/16
        NetName: AVENTIS-PHARMACEUTICALS

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • F
          fbackes
          last edited by

          Thanks a ton, @johnpoz!

          So I better use a private IP space instead of 168.124.0.0/16?

          169.254 is automatically assigned by Windows because there is no DHCP server in the LAN. Does that mean I have to set up DHCP? No way to use 169.254?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            No router is going to route that space.. Its a link-local address space.. It does not route.. Pfsense for sure doesn't

            And yeah use rfc1918 - you can not just pull IP space out your ass and use it.. Your going to run into problems with that.. rfc1918 as IPs you would need.. Use them, or get your own space - you don't just grab public space and try and use it internally.

            here is 4 year old thread about it
            https://forum.netgate.com/topic/82238/pfsense-dropping-traffic-on-169-254-0-0-16-network

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 1
            • F
              fbackes
              last edited by

              Would the no_apipa_block switch solve that?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                NO that is not the correct way to do it.. That anyone would actually choose to use 169.254 is just beyond me.. First up a dhcpd it takes 2 freaking seconds. Is part of pfsense..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                F 1 Reply Last reply Reply Quote 0
                • F
                  fbackes @johnpoz
                  last edited by fbackes

                  I know! ;-)

                  Since this is a productive system I can't easily mess with network settings.

                  I have changed pfSense LAN address to 192.168.0.1 and the IP of a test server to 192.168.0.22.

                  The subnet in Azure now is 10.10.0.0. The connection can be established, but machines in the different subnets still do not see each other.

                  WAN, LAN, and IPsec firewall rules have all been set to allow full IP4 traffic.
                  Can ping local machine from pfSense LAN and vice versa. Azure VPN shows some traffic in both directions (just a few bytes).

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.