Help setting up site-to-site relay



  • For months now I've been playing with VPS hosts trying to create a bridge into my network using their public fixed IP address instead of my ever-changing dynamic ones, though my connection is very stable and I really don't worry about losing the an IP unless PPPoE is reestablished there's also other reasons, VoIP for once and port 25 is another which my ISP unblocks upon requests but the people at support are so incompetent the been passing the wrong information with their IT staff or I don't know what's happening that they never get around it.

    Anyway, finally I found a VPS host that has pfSense images on their repositories and that I can connect to, the earlier ones didn't for some reason or another ranging from I just don't know how to set stuff like this up in CentOS, Windows Server site-to-site quirks or firewalling issues as I mentioned earlier; I'm now connected to my VPS pfSense instance, it's got a subdomain assigned on my main DNS zone and I'm ready to start routing stuff in but setting it up I sort of got puzzled by the phase 2 info on the IPsec settings. For the time being I'm only using IPv4 so the mode is settled.

    The cloud router only has one interface with a public IP address and that's it and since I want to use it as a relay I'm not sure if I should set NAT/BINAT translation and if I do where do I set it up, because I have the same settings in the other side too. There's also a new option called "WAN subnet" on the network type dropdown but and although it makes sense to select it as local network on the cloud router, there's NO MENTION of this in the pfSense Book nor on the help wiki when you click the question mark icon in the corner–so I don't know how to proceed from here. I've set up remote user millions of times and I'm confident that I can always make it work but site-to-site introduces some stuff I soft of wasn't ready for. 😅

    On the local site I thought it was going to be easier, but as I'm writing this I'm going through the options to back my findings up in this post and now I'm not sure about a lot of stuff; for remote users I just assign them some subnet and that's it, but the cloud router only has the one single-interface-single-IP network, no subnet, DHCP all that of a regular subnet so it's essentially a gateway, right? How do you assign a gateway? More specifically TO WHAT do you assign a gateway, those settings are supposed to live under interfaces.

    I want to keep the local traffic going out through the local gateway group anyway and use the cloud router exit as a kitchen door-sort of thing. This is where I'm stopping. Right now my router work flawlessly, remote users can connect, all of my reverse-proxied hosts are resolvable and all there aren't any rule conflicts in the very very... very long list of rules and aliases and ports; messing up with gateways and interfaces has always got me into big trouble so this time I stopped to asked before going deeper. 🤓

    pfSense's awesome intelligent backup restore works if the setup if the exact same but even so and then it get my pulse fast and heavy real quick. Have any of you guys done this successfully, could you share? :)


Log in to reply