Trying to Understand how can I access the main netowrks from a downstream networks

xlameee

Hello

I have at home main box pfsense witch is connected to Internet
and I have a downstream pfsense box witch is connected to opt interface on the main box

What I am trying to do is the downstream box to have an access to Internet and also to have access to main box networks

both boxes are connected to my office with Peer to Peer (SSL/TLS)
When I access the server on the downstream box and trace route to an smb shared storage (FreeNAS)
IP 10.71.70.21 always goes trough the VPN

The only way I can access any machine on the main box from the downstream box is trough the VPN

Here is some idea of my network

Main Box Connected (PEER_TO_PEER (SSL/TLS)) To Office

WAN : Comcast IP DHCP not static
LAN : 192.168.1.0/25
WAN_UP (OPT1 int) (VLAN 150) : 10.151.150.0/28
STORAGE (OPT2 int) (VLAN 70) : 10.71.70.0/27
Here is my FreeNAS box MGMT IP is connected to LAN and STORAGE subnet /27 so I can have IPs for each server to access SMB Shared Storage

Firewall rules on WAN_IP interface

With a 2nd rule I am able to provide internet access not sure why I have that 1st rule
Downstream BOX (PEER_TO_PEER (SSL/TLS)) To Office

WAN (VLAN 150): 10.151.150.5/28
LAN : 192.168.4.0/25
MGMT (OPT int) (VLAN 12) : 10.14.12.0/25

I have Win Server on MGMT int. IP 10.14.12.5/25 where I want to connect to a smb shared storage on the freenas box

xlameee

@xlameee ANYONE

johnpoz

Can you draw this up please, then I would be happy to help.

This vpn is a site to site?

xlameee

I have an idea, but I am not sure that this is the best way to go!!!!

What if I create an other VLAN let say VLAN141 and then BRIDGE that VLAN to "STORAGE (OPT2 int) (VLAN 70)" on my main pfsense box and then from vmware (Where windows server is installed) I add an 2nd interface on VLAN141 port group and add a static IP without gateway so it won't confuse Bill Gates :)

Would this solve my problem

johnpoz

No bridging is not the answer!

Draw this up - I have read over your post a few times and just not clicking how you have this stuff connected.. Where is this main box - some other site?

xlameee

@johnpoz No the mainbox is on the same site with the down stream and Yes it is a site-to-site VPN

johnpoz

So breakout some crayons or whatever and put it on paper ;) So we can see what networks are where.. If its same site - why are you connected via a vpn?

you have a downstream network at site A, and then this other site B that is connect to A via vpn can not get to the downstream networks at site A?

If you have downstream at A, where is the routing and transit network shown?

You have this?

What can not talk to what? Adjust to how you have it setup if need be, and put in your networks, etc. But a downstream network needs to be connected via a transit or you will run into asymmetrical routing issues. Or you have to do host routing, or you have to nat the downstream, etc.

xlameee

I did my best

OFFICE SITE 1 is the VPN site-to-site server all other are clients each of the clients have to go to the server first before go anywhere else

johnpoz

Ok that is a start.. Where are the networks.. You call it a downstream switch.. So its doing routing? If so how is it connected. Where is the transit? What are the networks your VMs are connected to?

Is that core switch also a L3 doing routing?

Why are you doing a site to site vpn for that pfsense located at site 1?

And then you have another pfsense VM that is also connected via vpn - and it has a network(s) behind it? That windows server for example?

xlameee

@johnpoz sorry those 2 switches are not connected

None of the switches are routing they are L3 switches but not routing. PFSENSE is the router DNS DHCP and so on

johnpoz

Huh? They sure look like there connected to the esxi host to me ;) So your pfsense vm is the one doing the routing.. Again why is it on a vpn if its located in site 1?

What is the point of the main box pfsense? If there is nothing behind it you need to get to?

xlameee

@johnpoz there is a lots of stuff behind the main box one of them is freenas all I need to do is this windows server 2016 to have access to and freenas smb shred storage without going trough the VPN server to office site 1 and back

ANY IDEA