Multi-Site-to-Site not working
-
Hi,
I am still received the ifconfig warning message in pfSense 2.4.2. Please see the following thread as this issue appeared unresolved:
https://forum.pfsense.org/index.php?topic=34610.0
What is the reason for the server and the client warning me about ifconfig not being run on the client side?
-
your going to reference a thread from 2011?
What exactly is your problem your seeing? The version of openvpn from back in 2011 was 2.2, its 2.4 now..
Please post up your server config and any options you have set in the advanced section, and your client config and we can work out any sort of problems your having.
-
The problem I'm having is when I try and set up a site to site VPN where multiple branch servers connect to one head office.
All locations use pfSense 2.4.2. I can get it to work if I specify a 192.168.x.x/30 subnet for each head/branch pair and leave the topology in OpenVPN set to "Subnet – One IP address per client in a common subnet." The problem with this configuration is that the head office site has to have individual OpenVPN instances for each branch as well as a unique WAN port for each branch.
If I try and expand the tunnel subnet to a /24, so that all branch sites can connect to the same head office WAN port but with different certificates (same TLS key though), i get no connectivity from the branch site computers. I can ping only directly from each pfSense branch box to the head pfSense box using the built in ping utility - but thats it. The tunnel clearly establishes successfully though.
I've modified the firewall rules and outbound NAT accordingly but there is something missing.
I'm not getting an ifconfig error in the /24 configuration but I also don't know if that command is executing correctly.
-
So you want your branch A to route to HQ to get to branch B?
Why would you not just setup a full mesh where you setup site to site between each branch and hq.
Do the other sites not need access to each other? How many sites are you talking about?
-
I have 5 branches. I need only some subnets on each branch to route through HQ for internet access.
-
So branch A does not talk to branch B
And you only have 5… So why don't you just fire up 5 site to site instances and be done with it?
Or for that matter why even use site to site, if the branch is just using this to HQ for internet, just setup client on branch as road warrior setup... Then you could just have 1 instance for sure on hq pfsense.. And policy route whatever want from the branch to hq for internet.
-
The branches do also need to talk to each other. Because of packet sniffing/monitoring I would need the branch to branch communication to pass through through HQ. A mesh network would not allow for this. This is why I would like to set up a greater than /30 tunnel.
-
So your routing traffic from branch A to B, but it has to go through HQ… Yeah that sort of setup just blows... I will have to think about that for a bit...
-
It's not that bad. Only a few specific resources need to communicate branch to branch. The latency of going through HQ is not a big deal. I'm hoping to find out from you and the pfsense community if I have misconfigured something when using a /24 tunnel or if their is a bug somewhere.