Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing between multiple sites

    Scheduled Pinned Locked Moved Routing and Multi WAN
    15 Posts 5 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      amundae
      last edited by

      So I have an interesting problem, I have 3 sites, each with a pfSense firewall:

      PDXFW1: (LAN: 192.168.1.1/24)
      SEAFW1: (LAN: 192.168.2.1/24)
      SLCFW1: (LAN: 10.7.3.1/24)

      They are connected like so:

      SLCFW1:10.7.30.2<openvpn tunnel="">10.7.30.1:PDXFW1:192.168.10.253<mpls link="">192.168.11.253:SEAFW1

      The idea being that all devices on all LAN's can freely communicate with one another

      The problem is routing from SLCFW1's LAN to SEAFW1's and vice versa.

      SLCFW1 has SEAFW1's LAN net as a remote network in the Open VPN config
      SLCFW1 can route just fine to PDXFW1's LAN and vice versa
      SLCFW1 can ping SEAFW1's LAN Address from its Open VPN interface but not it's LAN interface

      SEAFW1 has a static route sending traffic to SLCFW1 via PDXFW1's MPLS interface
      SEAFW1 cannot route any traffic to SLCFW1, acccording to a traceroute it dies in PDXFW1
      SEAFW1 can route to PDXFW1's LAN just fine

      What am I doing wrong?</mpls></openvpn>

      1 Reply Last reply Reply Quote 0
      • chpalmerC
        chpalmer
        last edited by

        I do these kinds of OpenVPN circuits all the time using one location in the middle of other locations.. 
        Im curious if running RIP on the MPLS interfaces would solve your issue.

        What does your OpenVPN firewall rule look like at PDX?  What is showing up in your firewall logs when traffic tries to flow?

        Do you have your OpenVPN assigned to an actual interface at SEA and PDX?      ( I actually do not here..)

        Id also be curious about running an OpenVPN connection across the MPLS circuit.

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • jahonixJ
          jahonix
          last edited by

          @chpalmer:

          Id also be curious about running an OpenVPN connection across the MPLS circuit.

          Out of sheer curiosity: what problems can arise from that combination (and why)?

          1 Reply Last reply Reply Quote 0
          • A
            amundae
            last edited by

            @chpalmer:

            What does your OpenVPN firewall rule look like at PDX?  What is showing up in your firewall logs when traffic tries to flow?

            All VPN interface rules are allow any to any.

            Nothing, it just dies without getting blocked.

            @chpalmer:

            Do you have your OpenVPN assigned to an actual interface at SEA and PDX?  ( I actually do not here..)

            No I do not, and the VPN is between SLC and PDX, not SEA.

            @chpalmer:

            Id also be curious about running an OpenVPN connection across the MPLS circuit.

            That's what I was going to try next if I couldn't get an answer here

            1 Reply Last reply Reply Quote 0
            • H
              heper
              last edited by

              you are probably missing a return route somewhere. not enough information to go on.

              best to draw up a detailed schematic ( = no ascii art) with all the subnets involved. also provide the (redacted) routing tables on all sites

              1 Reply Last reply Reply Quote 0
              • A
                amundae
                last edited by

                Will do, I'll work on nice shiny schematic

                1 Reply Last reply Reply Quote 0
                • chpalmerC
                  chpalmer
                  last edited by

                  @jahonix:

                  @chpalmer:

                  Id also be curious about running an OpenVPN connection across the MPLS circuit.

                  Out of sheer curiosity: what problems can arise from that combination (and why)?

                  I probably need to reword that..

                  Id be curious if creating an OpenVPN tunnel inside the MPLS circuit between the two boxes wouldn't easily solve the routing problem..  :)

                  Triggering snowflakes one by one..
                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                  1 Reply Last reply Reply Quote 0
                  • chpalmerC
                    chpalmer
                    last edited by

                    @amundae:

                    All VPN interface rules are allow any to any.

                    Nothing, it just dies without getting blocked.

                    Ive had issues in the past with Any/Any firewall rules although I didn't stick around long enough to diagnose so it was probably something else at the time..  But I tend to always get specific these days.  YMMV.

                    You could always try the Routed Package on the two machines and see if that doesn't help.  Use the MLPS interfaces.

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • A
                      amundae
                      last edited by

                      Ok here's the diagram: https://www.lucidchart.com/invitations/accept/abf0f5c5-d92b-4c5b-9d8b-a527a746765d

                      1 Reply Last reply Reply Quote 0
                      • chpalmerC
                        chpalmer
                        last edited by

                        @chpalmer:

                        You could always try the Routed Package on the two machines and see if that doesn't help.  Use the MLPS interfaces.

                        Was in a hurry so spit this out too quick..

                        Save your configs.

                        Put the Routed package on both SEAFW1  and PDXFW1.

                        Set up Routed on both machines to be on their MLPS interfaces.

                        Routed will allow the machines to advertise their subnets to the other machine much the way that the OpenVPN config is doing between PDXFW1 and SLCFW1.

                        Get rid of the static routes.

                        Im assuming each router has its own local internet connection.. ?

                        Triggering snowflakes one by one..
                        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          @amundae:

                          Ok here's the diagram: https://www.lucidchart.com/invitations/accept/abf0f5c5-d92b-4c5b-9d8b-a527a746765d

                          No. Not going to create an account there just to view your diagram.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • A
                            amundae
                            last edited by

                            @Derelict:

                            @amundae:

                            Ok here's the diagram: https://www.lucidchart.com/invitations/accept/abf0f5c5-d92b-4c5b-9d8b-a527a746765d

                            No. Not going to create an account there just to view your diagram.

                            Oh my apologies, didn't realize it would make you make an account, see the attached image.

                            chrome_2018-04-09_10-54-42.png
                            chrome_2018-04-09_10-54-42.png_thumb

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              Your MPLS needs to know about the routes to SLC. Is the traffic for the networks at SLC even arriving at PDX from SEA?

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • A
                                amundae
                                last edited by

                                Hi All, this was finally fixed today. The issue was that an old IPSEC connection to SLC was still set to enabled on the SEA router and was screwing up routing.

                                Interestingly this never was shown in the system routing table which is frustrating.

                                Anyway it is fixed now. Thank you all for your help!

                                DerelictD 1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate @amundae
                                  last edited by

                                  @amundae IPsec traffic selectors are not in the routing table because they are not routes.

                                  https://forum.netgate.com/topic/131420/routed-ipsec-using-if_ipsec-vti-interfaces

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.