Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Peer to Peer without Tunnel Network?

    Scheduled Pinned Locked Moved OpenVPN
    24 Posts 5 Posters 1.2k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate
      last edited by

      As I explained, pfSense does not play well with unnumbered, point-to-point interfaces.

      What is it that you want to happen here?

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      J 1 Reply Last reply Reply Quote 0
      • J Offline
        jbredereck @Derelict
        last edited by

        @Derelict said in Peer to Peer without Tunnel Network?:

        As I explained, pfSense does not play well with unnumbered, point-to-point interfaces.

        What is it that you want to happen here?

        I want to understand why and how things work. That's all I want to happen here.

        And if it's really the case that pfSense has problems with unnumbered point-to-point interfaces, then this would explain it. But just out of curiosity: What's the problem exactly with unnumbered point-to-point interfaces? I've been using those my entire professional life and never ran into any problems on Linux as well as on FreeBSD. Especially with OpenVPN unnumbered Point-to-Point-Interfaces are common practice and should work on pfSense as well.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          Mostly because policy routing in pf route-to and reply-to are tied to both an interface and a destination address, not just an interface.

          A quick look says that might be possible to look at (ianap) but the current state of the code is what it is.

          From my seat, if you want to use pfSense, re-configuring 20 sites to use a tunnel network isn't that much work. I can easily think of more implementations that needed the tunnel network for things like NAT than I can this requirement of absolutely no tunnel network addressing. As has been said, I think this is a first.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          J 1 Reply Last reply Reply Quote 0
          • J Offline
            jbredereck @Derelict
            last edited by

            @Derelict

            Alright, fair enough. Thanks for looking into this.

            In this case we will just keep the VPNs on the old Edgerouter for now and migrate them to pfSense whenever a remote office router needs to be replaced.

            Migrating everything else to pfSense worked like a charm and even though I might not have sounded like it, I really like pfSense and the netgate products.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.