VPN tunnel woes on XG-7100-1U using built-in WAN and LAN VLANs



    • Hey guys, it's the programmer (masquerading as a networking guy) again (translates: out-of-his depth, league).
    • I have four geographic sites running Netgate XG-7100-1U with optional NICs.
    • I have IPSEC site-to-site tunnels up and running between the sites, and also to Microsoft Azure.
    • I have remote access OpenVPN working.
    • All of this works great when I setup my own WAN and LAN interfaces on the optional NIC.
    • Everything (except the Azure S2S tunnels) breaks when I try to use the built in WAN and LAN (4090 and 4091) that came somewhat pre-configured.
    • I suspect it has something to do with VLANs (of which I have limited understanding)
    • I have a handful of subnets that I would like to setup, so I am anxious to use ETH1, and ETH2-8 for WAN and LAN, leaving the optional card open for other uses (Subnets, VLANs)
    • Giving up would be easy, but then I wouldn't come to understand what I am doing wrong.
    • Thoughts?

    Thanks.


  • LAYER 8 Netgate

    There is no meaningful difference between using router ports and those switch ports when it comes to getting something like a VPN running. There are no VLAN tags out on the wire. It is an untagged port.

    I would look at the logs and see what is failing. Post here if you aren't quite sure what you're looking at.

    I assume the internet works fine and it's just the VPNs you're having problems with?



  • @Derelict Will do. From what I read in the manual (and not knowing jack about networking I have been reading for days), you are exactly right; those 4090 and 4091 tags are only used internal to the device. I will follow your advice, and post back.



  • @Derelict Problem Solved! Thanks. Your suggestion of reviewing the logs put me right on it. I was typing FQDNs (rather than hard-coded IP addresses) in the IPSEC P1 RemoteGateway option, which works great when you don't fat-finger the name--couldn't resolve my typo. BTW--This product (pfSense) is incredible... the log pages are awesome... and I am back on track. Thank you.

    There's a lesson here... I jumped on the default WAN LAN interfaces because that is what I changed... but it was basic troubleshooting that prevailed (we geeks make problems as complicated as we can).


Log in to reply