MPLS Routing
-
Hello,
Just looking to best practices with routing LAN traffic over an MPLS network that has been setup on a 2nd WAN interface (OPT1) using an SG-3100 appliance. The MPLS is up and I can ping across it to the other site however now need to create routes across to it.
LAN my side: 192.168.5.0/24
MPLS My Side: 192.168.92.0/24
MPLS Other Side: 192.168.93.0/24
LAN other side: 192.168.60.0/24 -
B@rustydusty1717 assuming this isn’t a L3VPN set up but instead you have a vpls type service where it appears you have a single trunk link connecting both sites then you will have the option of either using static routing or FRR…depends on your design goals. What do you want to do?
-
@michmoor Well we currently have an IPsec tunnel in place to access systems on the other network. Due to high latency, we got this MPLS/VPLS service.
Ideally from the LAN on my side I would like everything on the 192.168.60.0/24 side to be 'routable' as we already have Windows DNS records to do lookups to everything on the other side of the current IPsec tunnel.
-
@rustydusty1717 it seems dynamic routing may be what you need considering you have an IPsec and MPLS path. So I would go with FRR
-
@michmoor we obviously don't need the IPsec tunnel once I can get the routes established. Does that change anything?
-
@rustydusty1717 I was hoping to disable the IPsec after hours and test routing things over the MPLS. Once I can verify everything functions the IPsec won't be needed anymore.
-
@rustydusty1717 if you disable IPsec how will you connect to the remote side? I assume you have some sort of cutover plan.
In any event, if there is only one path then static routing will be all you need -
@michmoor whats the best way to setup the static routes? Haven't had to do them before in pfsense.
-
@rustydusty1717
https://docs.netgate.com/pfsense/en/latest/routing/static.html#static-routes -
So I've added 192.168.60.0/24 (LAN on other side) to the static routes, disabled the IPSec tunnel and not able to reach across the MPLS. Do I also need to add static routes for the MPLS networks on both sides as well?
-
@rustydusty1717 So you created a gateway as well? Can you ping across the MPLS - from pfsense to pfsense?
-
@michmoor correct I have my WAN gateway and then OPT as the 2nd gateway for the MPLS. I can ping the MPLS on the other end. Just can't reach anything on the LAN on other side. Wondering if my static routes are wrong or if I need to do anything with outbound NAT.
-
@rustydusty1717
Do you have firewall rules that state that your LAN can reach the network 192.168.60.0/24? What do those rules look likeAre you gateways UP?
Can you ping from your pfsense ? So log in to your pfsense via ssh. From the CLI initate a ping. so ping 192.168.60.1 [if thats an address on the other side[ -
@michmoor can ping the MPLS gateway on the other end however not the firewall or LAN on other end. It's not a pfsense/netgate unfortunately.
-
@rustydusty1717 Does the MPLS side have a route back?
-
@michmoor yes it does. Should outbound NAT be turned off?
-
@rustydusty1717 Whatever you are NATting to, the other side must know how to get back to that IP.
If this is a site 2 site link generally NAT wouldnt be needed but depends on your design. -
@michmoor said in MPLS Routing:
If this is a site 2 site link generally NAT wouldn't be needed but depends on your design.
So we are able to now reach each LAN on both sides but any remote site (OpenVPN site to site) can't reach the LAN MPLS on other side.
What's weird is using the old IPsec instead of MPLS it all works fine. The OpenVPN site to site's already have the LAN of the other side of the MPLS. Besides doing static routing at my primary site for the LAN on other side of MPLS it should all work, no?
Doing tracert from a remote site on my side hits the OpenVPN assigned tunnel network then fails. Revert back tp IPsec and routing works perfect.
-
@rustydusty1717 anyone have any ideas? Would a diagram help?
-
@rustydusty1717 Accurate, comprehensive, numbered diagrams always help.
