Is this possible with VPN?
-
Thanks,
Sadly, I could not get this to work.... am i doing something wrong?
I setup a TUN vpn with shared key and tunnel network 10.0.8.0/24 (datacenter = 10.0.8.1 <-----------------> home = 10.0.8.2)
I can ping both ip's remotly (10.0.8.x) from both Pfsense, I see the OVPN gateways and they are online, next to the default Datacenter and home ISP gateway.Here the situation: Datacenter network 187.x.x.0/30
Datacenter Pfsense
WAN IP 187.x.x.8, Gateway 187.x.x.1 (up)
OVPN tunnel 10.0.8.2 (up)Home Pfsense
WAN IP 192.168.2.247, Gateway 192.168.2.254 (up)
OVPN tunnel 10.0.8.1 (up)I connected a laptop to a added port, (opt3), I would like to have this laptop use a ip 187.x.x.23, and 187.x.x.24
how can I setup this network? -
The IPs you mention (.23, .24, .8) aren't within the /30 on your WAN so how do they get to your pfSense in the first place? are they routed?
-
I'm sorry it isn't /30 didn't no why I typed that.. ;-)
Here is the correct (and full) situation..We have 2 lines (spanning tree) in the Datacenter, and can use 187.x.x.4 until 187.x.x.23 with Gateway 187.x.x.1 netmask 255.255.255.0
There is also a VLAN25 active for 187.x.25.153 until 187.x.25.159 with Gateway 187.x.25.1 netmask 255.255.255.0
We also have a 2A00:xxxx:x:31::/64 all these networks are connected to a HP Procurve switch. (VLAN25 tagged).The Gateway is on 187.x.x.1, and I believe 187.x.x.2 and 187.x.x.3 are routers because they are also reserved.
(they told us, we can't use these 3 ip's because of the datacenter infrastructure)187.x.x.4 until 187.x.x.15 are not free, 187.x.x.16 until 187.x.x.23 are free for use!
187.x.25.x no free ip!
2A00:xxxx:x:31::/64 are free for use!The Pfsense WAN port is connected to the switch on the 187.x.x.8 network.
WAN ---> DC Pfsense ---> tunnel 10.0.8.2 ---> Internet <--- 10.0.8.1 tunnel <--- Home Pfsense --->Laptop (opt1)
I would like the laptop (or a switch) to use any IP from the free 187.x.x.16 until 187.x.x.23 ip's -
@mangelot said in Is this possible with VPN?:
We have 2 lines (spanning tree) in the Datacenter, and can use 187.x.x.4 until 187.x.x.23 with Gateway 187.x.x.1 netmask 255.255.255.0
There is also a VLAN25 active for 187.x.25.153 until 187.x.25.159 with Gateway 187.x.25.1 netmask 255.255.255.0OK bear with me :)
So that are 2 WANs I assume? Both are /24 and in both your upstream/ISP has a gateway on .1 and your pfSense has the .8 on one WAN as in the other there are no IPs left to use? Or does your pfSense has another IP configured as its WAN and you only want to use the .8 IP in addition to that?I would like the laptop (or a switch) to use any IP from the free 187.x.x.16 until 187.x.x.23 ip's
OK so in addition to my question above: the pfSense seems to have the .8 and you want e.g. .16 to use as additional IP and forward that to your Laptop. Is that correct?
-
The pfsense in Datacenter has 187.x.x.8 on the WAN, thats correct (there are no other ip's or cables attached)
Yes, I would like to use the .16 till .23 IP's on mij laptop or a switch at home (throught to vpn tunnel).
So I can setup servers at home with the datacenter IP's, and migrate them after setup to the datacenter.But If it also possible to also use the VLAN25 also as a extra WAN, throught to tunnel to my home, it would be really helpful, but not necessary...
-
So if your pfSense in the DC has .8 on its WAN, you add .16/.17/... or any address you want to use as an Virtual IP / Alias IP first. Otherwise pfSense will not get traffic for that IP. After adding it as alias, (as it isn't routed) you can only port forward or BiNAT this IP to your home network. All you have to do is set up your tunnel and routes correctly so that your pfSense at DC loc knows/can ping your network/laptop at home. If that works, it's simply adding a NAT/BiNAT or Port Forward rule to use e.g. the .16 IP and map it to your laptop IP.
If you set up the tunnel correctly (e.g. on the DC side: as local network you could use the 187.x.x.x/24 network and the remote network is you OPT1 laptop network) that shouldn't be hard to achieve.
-
Thanks,
Okay, so it has to be done with BiNat
So I must setup a internal network on the laptop 192.168.1.x and 1:1 Nat this throught the tunnel to DC and back with routing rules....There is no other way to let the laptop use: 187.x.x.8, subnet 255.255.255.0 and gateway 187.x.x.1 ?
There will be software running on the laptop, that needs to use the IP from the software license.
should this give any problem, you think? -
@mangelot said in Is this possible with VPN?:
So I must setup a internal network on the laptop 192.168.1.x and 1:1 Nat this throught the tunnel to DC and back with routing rules....
Nah, you just setup 1:1 NAT on your DC pfSense with 187.x.x.Y to <IPofYouLaptopAtHome>. If the routing in your tunnel setup between home/DC is correct, there's nothing else needed in terms of "routing with rules" (Policy based routes) as traffic for the .Y IP will automatically travel through the tunnel and as OVPN tunnels have a reply-to statement set in the filter, answering traffic should flow back the same way without problems.
As said, we have used that for customers ourselves and routed whole IP spaces via an OVPN tunnel to another location. It isn't that complex to set up :)
-
Hello JeGr,
Its been a while ago, I had some medical issues that took some time.
Now I feeling quitte better and I would really like to take up my project again.See the image for my current network setup, the dotted line is still the issue.
I have setup the VPN and I can ping Both Pfsense Appliances throught the VPN tunnel.
I temporary opened all (any) protocols on both appliances (WAN, LAN, VPN, just to be sure no firewall rules where the issue!)I added a virtual IP (Proxy ARP) to the Datacenter Pfsense (187.xx.3x.16), and setup a 1:1 NAT from external IP 187.xx.3x.16 to internal IP 192.168.1.16 (This is a laptop at the office, with a webserver installed)
I can Ping this laptop from Office Pfsense, and I can check for open ports (80) both with succesfull result.
I cannot Ping this laptop from datacenter (?), but I can check for open ports (80) with succesfull result.
Do you have any idea, what could go wrong here?
-
@jegr
ping