/29 setup help



  • Hey!

    I'm trying to reduce the area that remote site #2 has to site #1. There are holes in my networking knowledge. So, I'm not sure if this is a design problem or an implementation problem. With both IPSEC networks set to /24, access on each side everything works fine. When I try to nibble it down to a /29 section at site1 I'm having trouble. The nibbled down site1 segment should be 192.168.11.33-38 from site2's point of view.

    Site 1

    • LAN 192.168.100.1/24
    • some PCs that site 2 needs access to 192.168.100.36, 192.168.100.38
    • pfSense 2.2.6

    Site 2

    • LAN 192.168.118.1/24
    • VPN to site 1 is 192.168.100.33/29, defined in the IPSEC phase2 portion
    • pfSense 2.3.1

    Some things I'm looking for guidance on

    • I imagine I need to define 192.168.100.33 /29 as a gateway? If so, I saw something about virtual adapters, would that work?
    • Site1 will stay at /24 and I'd like to have multiple remote sites accessing dedicated areas, so multiple /29 segments

    Let's start here. Ask for more details as needed - I'm not sure what other info is pertinent.

    Thanks!
    Rich



  • In the IPSEC phase2 config I'm setting

    Phase2> General Settings> Remote Network 192.168.100.33 /29

    thinking that will give site2 access to only 192.168.100.33-38 at site1, can someone confirm this?



  • Hmm, Virtual IP was straight forward.

    I created a VIP, chose LAN, set it to 192.168.100.33 /29 Now when I'm at the remote site2 I can web to 100.33 and I see site1's pfSense router. Does this actual route though?



  • Argh, some silliness on my side. I had to change the PCs at site 1 so their

    IP 192.168.100.36
    subnet mask 255.255.255.248
    gateway 192.168.100.33

    Still not perfect, but, I'm listing my steps for others.



  • OK, now I'm confused. I was connecting site2 to a test network (I didn't want to test on production network), let's call it site1B. The same setup works when I try to connect to a W7 RDP on site1B but when I try to connect to a W2K12R2 RDP Site1 no go.



  • Hmm, this doesn't seem to be the solution I was expecting. From Server36 (192.168.100.36 /29) I can still ping all of the devices on 192.168.100.0 /24. I'm guessing the VIP is allowing that since it is really going to 192.168.100.1 /24 and that routes to the entire segment.

    Is there a better solution? In a prefect world I would like Server36 (192.168.100.36 /29) to be able to access NAS40 (192.168.100.40 /24) so I can do backups but not see anything else.



  • I'm a little confused about what you are doing. If you want to connect machines in site 2 to some of the machines in site 1, just make the phase 2 match 192.168.100.32/29. Don't know why you are changing gateways, etc. Anything on site 1's LAN is going to be directly connected, messing with your subnet masks is not the way of it. If you want to restrict traffic between machines on the LAN, put them on different interfaces/subnets.