Multi-site Link.

  • I am trying to set up two different locations with a Ethernet link between them. Each location has it's own internet connection and I would like them to use their respective connection. The link is just for communication between the locations, mostly backups and such. I have not been able to find complete information on what I want to do, but I have done my best with what I have found.
    Due to my lack of a complete guide I have set up a test environment on a hyper-v server with the hopes of getting the process down before putting it into production. I have two instances of PF sense each with 3 network interfaces. One is connected to my regular network and attached as WAN, one is attached to a virtual switch between the firewalls, and one is attached to a virtual switch that is connected to two ubuntu instances for testing. I have attached screenshots that I think will be relevant.

    I was initially unable to get any traffic over the link/ping form firewall to firewall until realized that I needed to create a rule to allow traffic through (The assumed deny all got me!) I enabled it and now I can ping the Ubuntu on the other side of the other firewall, but one ubuntu install can not ping the other (ie can ping, but can not ping I started looking into the logs, and it looks like it is blocking the pings! any ideas?

  • I am more familiar with cisco stuff with complex routing but you need to setup static routes or dynamic routing (RIPv2 or ospf or something else) as 4300W does not know about networks directly connected to 3285W. It only knows about networks directly connected to itself. So it does not know where to route traffic to, it's just blocking it. You need to tell it to route traffic for out to OPT1 ( interface on 4300W. Do the same on 3285W for out to OPT1 ( interface.

  • I knew I forgot to upload a screenshot!
    Thank you for the reply!
    I actually had set up static routes, here they are (see attached)
    So are you saying that I need to specify the local firewall's IP as the gateway, or the remote firewall as the gateway?

  • i think you got the ip addresses switched up.

    On 4300W:
    Destination Network:

    On 3285W:
    Destination Network:

    More info here:

  • Sorry, I should have labeled these! In the pictures the left window is always the view of 4300W and the right is 3285W.
    I am certain at this point that it is a function of the firewall that is preventing my traffic from passing.
    The log on 4300W reports seeing the ping from the Ubuntu VM connected to 3285W and blocking it, so the routes are working right I think.
    At a suggestion from a friend I tried being more specific with my rules (He said he has worked with firewalls that would blatantly ignore any any rules) but that has not helped (see screenshot).
    Any idea why the firewall would just ignore my rule and block the packets anyway?
    Am I doing something stupid or missing something obvious, or are these firewalls just insane?

    ![New Rules.PNG](/public/imported_attachments/1/New Rules.PNG)
    ![New Rules.PNG_thumb](/public/imported_attachments/1/New Rules.PNG_thumb)
    ![New Log.PNG](/public/imported_attachments/1/New Log.PNG)
    ![New Log.PNG_thumb](/public/imported_attachments/1/New Log.PNG_thumb)
    ![New Message.PNG](/public/imported_attachments/1/New Message.PNG)
    ![New Message.PNG_thumb](/public/imported_attachments/1/New Message.PNG_thumb)

  • hmm it could be bogons but it would say that in description if it was the case. Not sure why its blocking ping.
    What are the rules for LAN? Are you by any chance blocking traffic out from LAN?
    Are u able to pass other traffic?

    Another thing you can do is set the gateway to the non-wan gateway you created in your firewall rules from .11.0 to .7.0

  • LAYER 8 Netgate

    What are those 9 alerts? Are the rules even loading? Are those alerts complaining about bogonsv6 not loading?

    If so:

  • Problem found!
    The issue turned out to be with the upstream firewall.
    It had the 12.x network with DHCP on a vlan that apparently these were aware of, and they were using WAN rules.
    Removing the vlan and rebooting fixed it!

Log in to reply