Multi-LAN, Multi-WAN + IPSEC tunnels, failover & routing problem

straxjam · Dec 20, 2016, 1:30 PM

Hello to the pfsense community :)

I'm coming here to seek some help since I have got issues with pfsense. Especially with routing.

Here's the briefing:

I have 3 sites, one main site and two satellites.
The main site is connected to both satellites using IPSEC and also with a specific WAN MPLS VPN?
Each site have two WAN.
The main site have 3 LAN.
Each site use the first WAN to surf the Internet and to use the IPSEC link to the main site, the second WAN is a MPLS VPN that connects all my sites among others. So I can reach any of my sites using this second WAN. Plus, some ressources are only reachable through theses specific WAN links.

Main site version: 2.2.6
Remote sites: 2.3.2

I have attached a diagram of my network in this post, it is better than any explanation. I've also attached screenshots from my Pfsense1 conf'

I have multiple problems, I think they are related.

First, Failover
I have set a Failover gateway on the main site and on the site 3. It doesn't work :(

On the main site for example, I've created a gateway group named GW_Failover wich include the following interfaces: WAN1 & WAN2
WAN1 (named WANFIBRE) is set with Tier1, WAN2 (named WANPNF) is set with Tier2
In my firewall rules, I've modified the default pass rules and changed the default gateway to GW_Failover.
I've set a rule before the default one for specific routes, when I want to reach those networks: 192.168.190.0/24, 192.168.254.0/24, i need to use my WAN2 (router 192.168.188.254)
So my default gateway is WAN1, for specific destinations, WAN2, and I want WAN2 to be the default gateway when WAN1 is down.

I don't have any static routes.

Two routings problems:
When I want to ping a host from 192.168.211.0/24 to 192.168.186/24 (LAN to LAN), pfsense send the packet over the WAN1…
But I can ping a host from 192.168.186/24 to 192.168.211.0/24.

I also would like to be able to reach my LAN 192.168.211.0/24 from my remote sites (192.168.180.0/24 & 192.168.184.0/24) though the IPSEC tunnels. Do I have to create another Phase2 in the IPSEC conf ?

The failover gateway doesn't work on my remote sites neither.

I'm not really confident with this routing system, i'm used to static routing/RIP/OSPF, I've never done some routing into firewall rules.

Another thing I would like to do, but it appears to be difficult, when my IPSEC goes down, I would like to use WAN2 to be able to contact remote sites, is it possible to automatize this ?

Thank you in advance for any help you could bring to me :)
Have a nice day.

doktornotor · Dec 20, 2016, 3:02 PM

@straxjam:

I have attached a diagram of my network in this post, it is better than any explanation.

straxjam · Dec 20, 2016, 3:58 PM

LOL ! 8)
I can understand that !
I'm trying to do another diagram right now :(

straxjam · Dec 20, 2016, 4:11 PM

Here's a new diagram, I hope it's better :)

straxjam · Dec 21, 2016, 11:05 AM

Hello,
I've upgraded all my pfsense to the last build 2.3.2_1
I forgot to tell you that all my pfsense are virtualized on ESXi hosts.
I've also attached in this post a screenshot of my routing table on the main site.