Site to site and remote access gateway



  • Hey all,

    I've seen some variation of this question asked on here before, but I thought I'd try my luck with my setup and see if anyone can help me out.

    Basically the setup is this:

    pfSense in NY has site to site with pfSense in Atlanta that works. Users in NY can access file shares in Atlanta and vice versa.

    pfSense in NY has remote access server, which clients can connect to successfully. I've tested this from outside of either office and can access LAN resources in NY ONLY.

    Clients connected can't access LAN resources in Atlanta (which is what I want).

    NY pfSense info:

    LAN - 192.168.1.0/24
    Site to site tunnel - 10.0.8.0/24
    Remote access tunnel - 192.168.100.0/24

    Atl pfSense info:

    LAN - 192.168.2.0/24
    Separate interface handles site to site VPN to NY (don't ask, it was necessary because of the layout of their network)

    Again, this seems simple, but I'm just not proficient enough in networking to recognize what I need to do, so if anyone can help that'd be terrific. Users at each site can access resources on either LAN, but remote users can only access resources on the NY (server side) LAN. Remember, speak to me like I'm a little kid, because I'm a big dummy!

    Edit: I forgot to mention that the VPN for site to site and remote access are both OpenVPN, not IPsec.



  • Check your routing tables on all the routers, then add a missing route (for a site and/or client) if necessary.
    I suggest to read the neighboring topic: https://forum.pfsense.org/index.php?topic=141080.0 - configuration described there is quite similar to yours.



    • Assuming you don't have set "Redirect gateway" in the access server settings to force all client traffic over the vpn, add the Atlanta LAN network 192.168.2.0/24 to the "IPv4 Local network/s".

    • On the Atlanta pfSense in the site-to-site settings add the access servers tunnel network 192.168.100.0/24 to "IPv4 Remote Networks".

    • Ensure that the firewall rules on both sites allow the access.