Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    network subnet access between multiple tunnel

    General pfSense Questions
    4
    12
    196
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hasan_ciit last edited by

      Dear All,
      Kindly help me
      i have pfsense at azure cloud
      i have two ipsec tunnels with pfsense
      Let me describe this:
      site A-----ipsec tunnel------>pfsense
      Site B-----ipsec tunnel------>pfsense
      site A subnet:192.168.1.0/24
      site B subnet:10.222.32.0/24

      I can ping 10.222.32.0 from pfsense directly but

      I am at site A subnet and i can reach pfsense but i want to reach site B subnet like this:

      Site A-------ipsec---------->pfsense------------ipsec------------->site B

      how i can do this?
      In ipsec status packets are comming out but no comming in
      Kindly help me i am in trouble

      1 Reply Last reply Reply Quote 0
      • V
        viragomann last edited by

        So add a phase 2 to each IPSec tunnel, each on both sides.

        On site A:
        Local network: 192.168.1.0/24
        Remote network:10.222.32.0/24
        Do the same on pfSense A tunnel, but with inverted networks.

        On B:
        Local network:10.222.32.0/24
        Remote network:192.168.1.0/24
        And also again on the pfSense with exchanging the networks.

        H 1 Reply Last reply Reply Quote 2
        • H
          hasan_ciit @viragomann last edited by

          @viragomann Thanx i will add and let u know if get sucess

          1 Reply Last reply Reply Quote 0
          • D
            dr8g0ns last edited by

            You may have to redesign your vpn tunnels to use Virtual tunnel interfaces (VTI's). then you can route between sites.

            1 Reply Last reply Reply Quote 0
            • stephenw10
              stephenw10 Netgate Administrator last edited by

              You can carry that traffic with policy based IPSec as long as you have policies that match the traffic across each link.
              Exactly like viragomann laid out.

              Steve

              H 1 Reply Last reply Reply Quote 0
              • H
                hasan_ciit @stephenw10 last edited by

                @stephenw10 said in network subnet access between multiple tunnel:

                ch the traffic across e

                Dear Sir,
                But how i can use policy based routing?
                Will i use tunnel mode as routed vti?

                1 Reply Last reply Reply Quote 0
                • H
                  hasan_ciit last edited by

                  @viragomann Is it possible without adding phase as i dont have access on other site so can i use nat binat?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10
                    stephenw10 Netgate Administrator last edited by stephenw10

                    So you have access to Site A and the Azure pfSense only? And can make changes to both?

                    Are the firewalls at sites A and B also pfSense?

                    Steve

                    H 1 Reply Last reply Reply Quote 0
                    • H
                      hasan_ciit @stephenw10 last edited by

                      @stephenw10 No Sir i don't have access to other site and both site are not pfsense
                      Can you guide me when to use nat option?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10
                        stephenw10 Netgate Administrator last edited by

                        Are you at site A trying to reach site B?

                        You could add a second P2 on pfSense to Site B and NAT traffic to a single IP inside the subnet it expects. That might work depending on what's on the other end. But it might not.

                        You would still need to get the traffic from site A to Azure though and that would require an extra P2 at both ends.

                        You could instead use a proxy of some sort running in Azure. Even something like an OpenVPN server there would allow you to reach Site B.

                        Steve

                        H 1 Reply Last reply Reply Quote 0
                        • H
                          hasan_ciit @stephenw10 last edited by

                          @stephenw10 Please Stephen help me to solve this issue
                          My design is:

                          clients----ipsec tunnel------>pfsense connected
                          Pfsense----------------ipsec tunnel---------------->azure cloud connected
                          i have zabbix nms at azure that is using 90.11.x.x subnet
                          Pfsense is using 90.14.x.x subnet
                          90.11.x.x subnet<---------------peering---------------->pfsense 90.14.x.x
                          90.11.x.x subnet<---------------ipsec tunnel--------->pfsense 90.14.x.x

                          Now i want that zabbix 90.11.x.x can reach to our clients LAN and monitor networks that are connected directly with pfsense currently

                          I dont want to add phase at client end as i don't have access

                          How i can establish connectivity like given below:

                          AZURE Cloud 90.11.x.x subnet<----------ipsec tunnel-------->pfsense 90.14.x.x---------------<ipsec tunnels>----------clients

                          Plz help me to resolve this issue
                          Thanks in advance

                          1 Reply Last reply Reply Quote 0
                          • stephenw10
                            stephenw10 Netgate Administrator last edited by

                            @hasan_ciit said in network subnet access between multiple tunnel:

                            i have pfsense at azure cloud

                            @hasan_ciit said in network subnet access between multiple tunnel:

                            i have zabbix nms at azure

                            Are both those things true?

                            Without adding any additional P2s anywhere or using some sort of proxy at the pfSense site I don't think this is possible.

                            Even with adding one P2 you could NAT the connection on one leg but that would then only allow opening connections in one direction and I believe Zabbix usually requires both.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post