Two VPNs between two branches with pfSense boxes



  • Hi there,

    we have the following scenario here:
    (1) We have two branch offices with several networks in each one.
    (2) Each network in each of the offices should be acessible by the other office.
    (3) In addition to that, we need two PCs which are currently located in office 1 be moved to office 2 by keeping their original network configuration. This means, one of the networks from office 1 should also be available in office 2.

    The current configuration (where topics 1 and 2 are working perfectly fine) uses an IPSec Site-to-Site tunnel which connects both networks and allows for seamless communication. But I'm not able to get topic 3 done.
    The approach I was trying was to create an additional VPN tunnel (OpenVPN) wich one of the boxes acting as server and the other one acting as client.
    The tunnel is established between two TAP interfaces - one on each side. The tunnel is being established perfectly fine…
    I've created a network in each branch office and bridged them to the TAP interface.
    When connecting a client in office 2, it receives an IP address from the DHCP server in office 1, but there's not further communication possible. I'm not able to reach any other host using ICMP ping...

    I'm not sure what's going on here...
    I'm not even sure if I have to assign IP addresses to all the interfaces:
    It's obvious that the interface of the pfSense in office 1 has an IP address assigned on the interface in the client network.
    I did NOT assign an IP address to the TAP interface in office 1.
    I did NOT assign an IP address to the TAP interface in office 2, either.
    Do I have to assign an IP address to the interface in the client network in office 2? If so, which one? The same as on the interface on the other pfSense in office 1? Another one in the same subnet?

    I've tried several scenarios but neither worked.
    When assigning the pfSense's interfaces IP addresses (different ones, but in the same subnet), I can at least ping the interface address in office 2 from office 1 when directly connecting to the pfSense unsing ssh. But why are PCs connected to the interfaces not able to communicate with each other?

    Another strange phenomenon I was noticing was the following:
    As I did not receive any answer from my ping command on a client in offic 2, I tried to find out where the packets are going. Strangely, there was an ARP table entry for the remote interface address like:

    172.22.0.1  00:bd:2f:0b:00:01

    The MAC address is the one of the REMOTE TAP interface. For me it's obvious that this cannot be reached.
    But why is my pfSense giving this strange ARP reply?

    Any ideas?

    Best,
    Tom


Log in to reply