/29 setup help

  • Hey!

    I'm trying to reduce the area that remote site #2 has to site #1. There are holes in my networking knowledge. So, I'm not sure if this is a design problem or an implementation problem. With both IPSEC networks set to /24, access on each side everything works fine. When I try to nibble it down to a /29 section at site1 I'm having trouble. The nibbled down site1 segment should be from site2's point of view.

    Site 1

    • LAN
    • some PCs that site 2 needs access to,
    • pfSense 2.2.6

    Site 2

    • LAN
    • VPN to site 1 is, defined in the IPSEC phase2 portion
    • pfSense 2.3.1

    Some things I'm looking for guidance on

    • I imagine I need to define /29 as a gateway? If so, I saw something about virtual adapters, would that work?
    • Site1 will stay at /24 and I'd like to have multiple remote sites accessing dedicated areas, so multiple /29 segments

    Let's start here. Ask for more details as needed - I'm not sure what other info is pertinent.


  • In the IPSEC phase2 config I'm setting

    Phase2> General Settings> Remote Network /29

    thinking that will give site2 access to only at site1, can someone confirm this?

  • Hmm, Virtual IP was straight forward.

    I created a VIP, chose LAN, set it to /29 Now when I'm at the remote site2 I can web to 100.33 and I see site1's pfSense router. Does this actual route though?

  • Argh, some silliness on my side. I had to change the PCs at site 1 so their

    subnet mask

    Still not perfect, but, I'm listing my steps for others.

  • OK, now I'm confused. I was connecting site2 to a test network (I didn't want to test on production network), let's call it site1B. The same setup works when I try to connect to a W7 RDP on site1B but when I try to connect to a W2K12R2 RDP Site1 no go.

  • Hmm, this doesn't seem to be the solution I was expecting. From Server36 ( /29) I can still ping all of the devices on /24. I'm guessing the VIP is allowing that since it is really going to /24 and that routes to the entire segment.

    Is there a better solution? In a prefect world I would like Server36 ( /29) to be able to access NAS40 ( /24) so I can do backups but not see anything else.

  • I'm a little confused about what you are doing. If you want to connect machines in site 2 to some of the machines in site 1, just make the phase 2 match Don't know why you are changing gateways, etc. Anything on site 1's LAN is going to be directly connected, messing with your subnet masks is not the way of it. If you want to restrict traffic between machines on the LAN, put them on different interfaces/subnets.

Log in to reply