Static Route VS Outbound
-
@johnpoz yes, you are right and we agree (if the user is connected to the LAN 16.)
In this case, we are talking about external user over internet.
The site to site is between the 2 LAN's 16 and 27. Both pfsense have routing to each other with no problem.
-
@bambos said in Static Route VS Outbound:
In this case, we are talking about external user over internet.
If the user is external, then the vpn does not come into play. If user X out on the internet vpns into site A, he would be able to route traffic over the vpn to site B, again no port forward needed.
You would just need to setup routing via the vpn to get to the tunnel network of say the road warrior connection to site A.
-
@johnpoz Thank you Sir. Well noted. To my understanding you reffering to a case when the outside user accessing through remote access VPN as client on the server. Right ?
-
Doesn't matter where the external user vpns into be it site A or site B. You can setup routing over the s2s vpn so that any remote client could access either site A or site B networks no matter which site they vpn into.
-
@viragomann Great is working as you described !! thanks a lot.
Now i'm just questioning my self, when the autocreated openVPN tab has to get a rule and why ?
-
The OpenVPN tab is an interface group including all OpenVPN instances you're are running on the box, clients and servers as well. It is created by pfSense, when you set up the first OpenVPN to handle the traffic simply.
But what you need here is the reply-to flag of pfSense. This needs to have a pass rule on a unique interface, so that it sees a distinct gateway, where responses have to be replied back. Therefor the reply-to doesn't work on interface group or floating rules.
-
@viragomann Good, thanks a lot for your support.
What about remote access open vpn instance on the server ? Does this need a rule on the OpenVPN tab ? or again needs an interface ?
-
@bambos
Best practice is to assign an interface to each OpenVPN instance in this case. So each rule hase clear mapping.
However, basically you may also assign rules to the OpenVPN tab which are applied to all OpenVPN instances then, but in any case you have to care that there is no rule matching the forwarded traffic you need to reply to the remote site.
So you may add a pass rule excluding port 100 in your example. -
@viragomann thank you very much Sir. You gave me hints to play more with some things now. I have some things to redo for test. No sleep tonight :)
-
@johnpoz Thanks for explaining everything. I tried what you suggested and is succesful. The only thing was that the remote user, couldn't been able to connect through a VPN Client, that's why i make it short term access using port 100. ok, now it's clear.
