Help with complicated Mult-Wan configuration
-
I wasn't around for the design and inception of this network and I'll admit that I'm not super fluent in network administration. I know what my end goals would like to be. I've made a quick and dirty diagram showing the more or less logical setup "pfsense is in a VM with physical connection to WAN router" showing the different subnets. As it sits now there is multiple WAN interfaces configured on the pfSense routers but no automatic failover/load balancing for redundancy. I attempted to setup a gateway group last night on one site but it broke communication with my remote subnets on the openVPN and the local subnets. I had most of it fixed with new firewall rules but not everything so I had to revert back to a single default gateway like it was previously configured. I'm looking for a little help from more experienced pfSense users. If I can get the failover configured I'd like to take it a step or two further with redundant VPN/failover, redundant WAN switches and a redundant pfSense router on our backup VM server. The corporate network is managed from outside and I have no control over it.. I just have its one IP from an uplink connecting the two networks and need to maintain traffic to and from including internet access through my network/router. I hope I've given enough information to start.
-
Why do you have openvpn between 2 firewalls which are local to each other?
With regards to failover VPN…. Good luck. It is technically possible with openvpn. IPSec is not clear. You might be better off buying a support pack for something like this. Just make sure that you state your scope and make sure they can do what you ask. I would take this route especially if you are not an advanced user! It looks like this is a for a business and it would be money well spent!
-
The arrow between the two sites is just representative of the VPN tunnel. I do have MPLS between the two so it may make things a bit easier by only having the VPN tunnel connected via the backup connections. This leads me to another question, how is a gateway configured for MPLS so that it doesn't NAT that traffic? I believe I do have a support indecent ticket left. While I would like full redundancy at both sites and between sites I also want to understand the configuration because I will ultimately be responsible for the systems up-time and if it gets too complicated the cons may outweigh the pros. I suppose that as long as I keep good configuration backups and whole VM backups of the pfSense routers though that the cons to a complete failure would be slim to none.
-
Guess the real question is if a problem occurs or you need to do an upgrade and it breaks functionality are you capable of reconstructing or modifying the set up by yourself. This set up looks somewhat complex and I know I would not want to be in the position of having to support a set up that I do not understand thoroughly.
-
Kapara, that is the dilemma. I have a pretty good understanding of the current configuration because it is a bit simpler without the redundancy. I need to take it a step at a time. I've already read of the problems with static routes and multi-wan gateway groups.. I will have another go at it in the near future. Like I said I almost had it 100% after making the new firewall rules to replace the static rout functionality. I am a little confused though why I could communicate with my remote 192.168.104.x network afterwards but not immediately the remote VoIP subnet without adding additional firewall rules even though those networks were listed in the openVPN remote network config. Any thoughts?