MPLS plus OpenVPN

Puulz · Mar 27, 2018, 12:13 PM

Hii everybody!

Firstly, i'm french, and i'm not an expert in networks, that's why I will try to do my best to explain.

There it is:
A customer use OpenVPN to connect on the pfsense on the network1, and try to reach network2 by the MPLS.

The MPLS works between networks
PC1 connected to network 1 by OpenVPN of pfsense

Network1 192.168.1.0 :
Router 164.X.X.X (public address)
Firewall PfSense 192.168.1.2
Router MPLS 192.168.1.3
Network2192.168.2.0

On the network1, the MPLS router is directly connected on a switch in the lan, not on the firewall pfsense.. (Is it a problem?)
Rules :
Pass * * everywhere. (Less problems, only for test don't worry!)

My tests :
PC1 can ping every server in network 1.
PC1 can ping the MPLS gateway 192.168.1.3
PC1 can't contact any pc in the network 192.168.2.0

Logs :
I don't see anything..

For that, I can't use a bounce machine, but it works if I do it..

I tried to explain as I can, so if I did a mistake tell me! You can ask me ! :)

Thank's in advance!

JKnott · Mar 27, 2018, 1:34 PM

First off, MPLS and VPNs operate in completely different ways, though both can be used to privately connect sites. MPLS works at the Ethernet level, though it can also work over other network types. OpenVPN is an encrypted IP over IP tunnel. Since MPLS works at the Ethernet level, it can be used LAN to LAN directly without passing through a firewall. It's just as though you ran an Ethernet cable between the sites. When used in this manner, both sites would be on the same subnet. It is also possible to connect MPLS via a router (possibly including firewall) in the same manner as any other IP connection. I believe this is what you're using. However, given that the router is directly on the LAN and not passing through pfSense, there will be multiple routes for a device to use. This means that all devices on network 1 need both a default route and a specific route for the other network. This is easy enough to do with a static configuration, but I don't believe DHCP supports it.

Bottom line, you'll either need some way to provide the specific route to Network 2 or connect the MPLS router through pfSense, so that the default route can handle traffic for Network 2.

Puulz · Mar 27, 2018, 2:30 PM

Hi, thanks for answer,

First, I know difference between them, but I've some problems :

When I'm away, I connect to the LAN1 with OpenVPN, it works, no problems**, BUT if I want contact the LAN2 it don't work,**
I don't understand why I can't contact LAN2 when i'm connected to LAN1 with OpenVPN.

The question isn't choosing openvpn or MPLS, but how to they work together.

(The default gateway is the firewall pfSense, but with a route to the MPLS it don't work… (It work when i'm in LAN.)

JKnott · Mar 27, 2018, 3:26 PM

^^^^
Please read what I said about a specific route. Since the MPLS router is connected directly to the LAN, traffic for it cannot be forwarded via the default route, which points to pfSense. You''ll either have to find some way to provide the specific route to Network 2 or connect the MPLS router via pfSense. As it is, devices on Network 1, including OpenVPN don't know a route to Network 2.

Puulz · Apr 3, 2018, 1:53 PM

The thing is, it works on the Network 1; and route on pfsense is here, and route is on computer too, but don't work on OpenVPN connection