Is there a way to tunnel real IPs to a remote site?
-
I have a situation where I have BGP setup between two sites. when SiteA goes down, I can reconfigure SiteB BGP to advertise those blocks.
I have a second internet line at SiteA which is non-bgp.
Can I advertise the IPs from SiteB and tunnel them over to SiteA via any methods you guys are aware?
So lets say 8.8.8.1/24 is normallt at SiteA and then SiteA goes down.
I want to BGP advertise 8.8.8.1/24 from SiteB and then tunnel those IPs through a secondary internet connection (ovpn or ipsec) to SiteA so the systems can continue to be on the internet albeit with latency (which is only 5ms between sites).
Help!
M
-
OK I got it working (mostly).
I setup an openvpn tunnel between the pfsense firewalls with private network 10.99.99.0/24 and preshared key using tap device from SiteB to SiteA on the secondary cable non-BGP connection.
From the internet I can ping 8.8.8.1 which is configured as a VirtualIP at SiteA being advertised at SiteB and then tunneled through the ovpn back to SiteA.
BUT one last issue. The ping comes in from the Internet through SiteB, tunnels to SiteA and then SiteA replies but the replies go out through the default gateway at SiteA which obviously would be down in the scenario I'm trying to protect against. When I tracert to the internet from a workstation setup as 8.8.8.5 at SiteA it goes out the default GW at SiteA. this means the 8.8.8.5 IP is not reachable from the Internet with this configuration because the return traffic is not coming back over the ovpn and sent out SiteB.
Any idea how to set a static route on SiteA pfsense to say "all traffic coming from 8.8.8.0/24 goes to 10.99.99.2(the local ovpn interface)" ?
-
Assign an interface to the OpenVPN instance at Site A and make sure the traffic is passed into Site A by rules on the tab for that assigned interface and is NOT matched by rules on the OpenVPN tab. That will give you reply-to on those states and reply traffic will go back out the interface on which it arrived (the OpenVPN).
-
Do I need to use tap for the tunnel to do that? or is tun ok?
do I just set no IP info on the created interface?
I was heading that direction to do PBR but I dont know the specifics.
-
So I added an interface for ovpns2 with no IP config on it.
I added a FW rule on the vmx2 interface which has the 8.8.8.1 alias on it and put destination any, set the gateway in the advanced section to the OVPN2_GATEWAY_IPV4
is that the right way to setup the PBR? I dont see anything in the routing table and it still goes out the default gw when I tracert to Internet from the test box on 8.8.8.5.
any help would be appreciated, so close!
-
Sorry. I forgot you were using TAP mode.
-
I'm using tun mode with 10.99.99.1 on client side and.2 on server side.
How do I setup pbr?
-
You might want to look at setting it up as a multi-wan, in which case all of the interface rule issues I enumerated above would need to apply (match on the interface tab, not the OpenVPN tab). Or if this is a manual failover just change the default gateway to the OpenVPN GW at site A.
You would just add 8.8.8.0/24 as a "Remote Network" on Site B OpenVPN configuration. That will put a route in the routing table for that subnet to the OpenVPN instance.
You might also look at just padding the AS Path for those routes at Site B so when Site A is up, the path is shorter and, therefore, the preferred route. But when those routes drop due to an outage, the Site B routes will already be advertised.
-
Yeah, I already have 8.8.8.0/24 setup as the remote network at SiteB. I can ping 8.8.8.1 from the internet which comes into SiteB, then tunnels through.
The issue is when I setup a PC on 8.8.8.5 with a gateway of 8.8.8.1, the traffic hits the SiteA firewall and then goes out the default gateway.
I'll PM you the config maybe that will help and I'll convert the outcome here for public consumption since there' real IPs in there.
-
Yeah what I have been talking about is for inbound connections into the routed subnet.
You will want to probably create a failover gateway group consisting of the WAN and OpenVPN at site A. That should route traffic from the 8.8.8.0/24 interface out OpenVPN when the WAN is down.
Try following this, treating the OpenVPN interface as another WAN: https://doc.pfsense.org/index.php/Multi-WAN
I am not sure how you have OpenVPN with a down WAN but you must somehow. :)
-
I want the traffic to always be sent out the ovpn.
i have two gateways, but one of them is for the ovpn tunnel only it doesnt have BGP ability. its a cable modem not a fiber connection.
-
This is working now! I needed to add mssfix 1300 to both ends of the ovpn tunnel, and i forgot to put a default GW for the secondary internet connection the ovpn tunnel was running over.
I am able to tracert from "8.8.8.5" with gw 8.8.8.1 at SiteA and it goes through the ovpn tunnel and out the WAN at SiteB.
great success thanks for all the help.
