How to make Windows servers use pfSense VPN?



  • Hello,

    I'm in no way a network specialist, but I have to set up a site2site VPN to one of our customers to query an Oracle DB.

    To be ready for this I first tried to set up a test environment with a new machine running pfSense and an Azure VPN.

    We have several dedicated Windows 2016 servers running in a datacenter. Each of them has a public IP and is connected to the internet through a datacenter router/gateway. All of them also have a second NIC, which connects them to a dedicated LAN (169.254.0.0/16) via a dedicated switch.

    The pfSense machine also has two NICs for WAN and LAN access, using the same datacenter gateway and connected to the same LAN.

    I also set up a Virtual Network and a VPN in Azure. The VPN can successfully connect to the pfSense machine. Ther are two virtual servers in the Virtual Network (subnet 168.124.1.0/24).

    I'm not able to see (ping, rdp, telnet etc.) the Azure servers from the datacenter and vice versa. How can I make the datacenter servers use the tunnel? Do I have to set static routes?


  • LAYER 8 Global Moderator

    @fbackes said in How to make Windows servers use pfSense VPN?:

    which connects them to a dedicated LAN (169.254.0.0/16) via a dedicated switch.

    169.254 is not a routable network.. If your trying to get those networks to talk to each other.

    (subnet 168.124.1.0/24).

    You can not just pull IP space out of thin air and use it.. You own that space?
    NetRange: 168.124.0.0 - 168.124.255.255
    CIDR: 168.124.0.0/16
    NetName: AVENTIS-PHARMACEUTICALS



  • Thanks a ton, @johnpoz!

    So I better use a private IP space instead of 168.124.0.0/16?

    169.254 is automatically assigned by Windows because there is no DHCP server in the LAN. Does that mean I have to set up DHCP? No way to use 169.254?


  • LAYER 8 Global Moderator

    No router is going to route that space.. Its a link-local address space.. It does not route.. Pfsense for sure doesn't

    And yeah use rfc1918 - you can not just pull IP space out your ass and use it.. Your going to run into problems with that.. rfc1918 as IPs you would need.. Use them, or get your own space - you don't just grab public space and try and use it internally.

    here is 4 year old thread about it
    https://forum.netgate.com/topic/82238/pfsense-dropping-traffic-on-169-254-0-0-16-network



  • Would the no_apipa_block switch solve that?


  • LAYER 8 Global Moderator

    NO that is not the correct way to do it.. That anyone would actually choose to use 169.254 is just beyond me.. First up a dhcpd it takes 2 freaking seconds. Is part of pfsense..



  • I know! ;-)

    Since this is a productive system I can't easily mess with network settings.

    I have changed pfSense LAN address to 192.168.0.1 and the IP of a test server to 192.168.0.22.

    The subnet in Azure now is 10.10.0.0. The connection can be established, but machines in the different subnets still do not see each other.

    WAN, LAN, and IPsec firewall rules have all been set to allow full IP4 traffic.
    Can ping local machine from pfSense LAN and vice versa. Azure VPN shows some traffic in both directions (just a few bytes).