VPN issue 2 pfSenses in 1 network



  • hi there

    it might sound stupid but i cant get it to work.

    setup:
    remote location, network is 192.168.1.x/24
    FW 1 has 192.168.1.1
    FW 2 has 192.168.1.254
    VPN tunnel on both is 10.0.8.x/24

    each firewall has his own WAN (2 different ISP's).
    if i connect to FW 1 by VPN i have access to all devices within my network except from .254 which is my 2nd FW.
    if i connect to FW 2 by VPN i don't have access to all other devices in the network, neither to .1 which is my 1st FW
    if i'm on an internal machine within the network i can connect to all devices, incl. FW 1 and FW 2
    also from the diagnostics tool of each firewall i can ping them each other, also other internal devices can ping both firewalls. i think i can pin this down to a VPN issue.

    the VPN settings are 100% the same, i did check everything twice.

    am i missing something here or can somebody maybe point out where to look at so i can access all FW and internal devices regardless from which VPN i connect to?

    thanks & regards



  • @Deadpool:

    if i connect to FW 1 by VPN i have access to all devices within my network except from .254 which is my 2nd FW.
    if i connect to FW 2 by VPN i don't have access to all other devices in the network, neither to .1 which is my 1st FW

    So I presume FW1 is the default gateway in your LAN. All host you try to access will send their responds to the default gateway, cause the origin source IP is not part of their subnet.

    The best way to resolve this, is to add static routes to all LAN host to send responds to VPN2 to FW2. But this will be elaborate on the one hand and on the other hand it doesn't work in your setup, since you use identical tunnel subnets for both VPNs.

    The other way to resolve is to do outbound NAT (source NAT) for the VPN tunnel subnet on FW2s LAN interface and let it translate source addresses to its LAN address. The drawback of this is that any access to your hosts seems to come from FW2 instead of the VPN client.



  • thanks for your reply viragomann

    yes, FW 1 with .1 is the default gateway on all clients.

    the end result i want to achieve is, having 2 pfsense in my network. some clients have FW 1 as gateway, some FW 2 as gateway (so that i can balance traffic between the 2 FW's), and i want to be able to connect to for example FW 1 by VPN and also be able to access FW2 by webinterface for management purposes. the 2nd FW would just be the failover VPN in case FW1 is down or whatever.

    not sure if my setup is a good idea, but haven't figured out anything else where i can manage what client/host sends what traffic i want to the firewall i want so i could only have 1 fw setup instead of two.

    however, you say outbound NAT on FW2 - so basicly i emulate coming from FW2 instead of from the VPN ? not sure if i understand that correctly. or can you point out how that would look like?

    thanks in advance



  • Yes, correct. The outbound NAT translate the packets source IP from origin VPN clients address to the FW2s LAN IP. So when the packets reach your LAN host, it seems the come from FW2 and it will response to FW2 where the destination address of the packets is translated to the VPN clients IP.
    We've discussed this yesterday here: https://forum.pfsense.org/index.php?topic=120328.0

    To use the same VPN tunnel subnet for both connections is definitively not a good idea. But that doesn't matter if you do NAT.

    Access from a VPN1 client to the FW2 management interface can also be enabled by an outbound NAT rule at FW1. Here you just need to enter the FW2s LAN address at destination.


Log in to reply