VPN tunnel woes on XG-7100-1U using built-in WAN and LAN VLANs
- Hey guys, it's the programmer (masquerading as a networking guy) again (translates: out-of-his depth, league).
- I have four geographic sites running Netgate XG-7100-1U with optional NICs.
- I have IPSEC site-to-site tunnels up and running between the sites, and also to Microsoft Azure.
- I have remote access OpenVPN working.
- All of this works great when I setup my own WAN and LAN interfaces on the optional NIC.
- Everything (except the Azure S2S tunnels) breaks when I try to use the built in WAN and LAN (4090 and 4091) that came somewhat pre-configured.
- I suspect it has something to do with VLANs (of which I have limited understanding)
- I have a handful of subnets that I would like to setup, so I am anxious to use ETH1, and ETH2-8 for WAN and LAN, leaving the optional card open for other uses (Subnets, VLANs)
- Giving up would be easy, but then I wouldn't come to understand what I am doing wrong.
There is no meaningful difference between using router ports and those switch ports when it comes to getting something like a VPN running. There are no VLAN tags out on the wire. It is an untagged port.
I would look at the logs and see what is failing. Post here if you aren't quite sure what you're looking at.
I assume the internet works fine and it's just the VPNs you're having problems with?
@Derelict Will do. From what I read in the manual (and not knowing jack about networking I have been reading for days), you are exactly right; those 4090 and 4091 tags are only used internal to the device. I will follow your advice, and post back.
@Derelict Problem Solved! Thanks. Your suggestion of reviewing the logs put me right on it. I was typing FQDNs (rather than hard-coded IP addresses) in the IPSEC P1 RemoteGateway option, which works great when you don't fat-finger the name--couldn't resolve my typo. BTW--This product (pfSense) is incredible... the log pages are awesome... and I am back on track. Thank you.
There's a lesson here... I jumped on the default WAN LAN interfaces because that is what I changed... but it was basic troubleshooting that prevailed (we geeks make problems as complicated as we can).