MPLS Routing
-
Hello,
Just looking to best practices with routing LAN traffic over an MPLS network that has been setup on a 2nd WAN interface (OPT1) using an SG-3100 appliance. The MPLS is up and I can ping across it to the other site however now need to create routes across to it.
LAN my side: 192.168.5.0/24
MPLS My Side: 192.168.92.0/24
MPLS Other Side: 192.168.93.0/24
LAN other side: 192.168.60.0/24 -
B@rustydusty1717 assuming this isn’t a L3VPN set up but instead you have a vpls type service where it appears you have a single trunk link connecting both sites then you will have the option of either using static routing or FRR…depends on your design goals. What do you want to do?
-
@michmoor Well we currently have an IPsec tunnel in place to access systems on the other network. Due to high latency, we got this MPLS/VPLS service.
Ideally from the LAN on my side I would like everything on the 192.168.60.0/24 side to be 'routable' as we already have Windows DNS records to do lookups to everything on the other side of the current IPsec tunnel.
-
@rustydusty1717 it seems dynamic routing may be what you need considering you have an IPsec and MPLS path. So I would go with FRR
-
@michmoor we obviously don't need the IPsec tunnel once I can get the routes established. Does that change anything?
-
@rustydusty1717 I was hoping to disable the IPsec after hours and test routing things over the MPLS. Once I can verify everything functions the IPsec won't be needed anymore.
-
@rustydusty1717 if you disable IPsec how will you connect to the remote side? I assume you have some sort of cutover plan.
In any event, if there is only one path then static routing will be all you need -
@michmoor whats the best way to setup the static routes? Haven't had to do them before in pfsense.
-
@rustydusty1717
https://docs.netgate.com/pfsense/en/latest/routing/static.html#static-routes -
So I've added 192.168.60.0/24 (LAN on other side) to the static routes, disabled the IPSec tunnel and not able to reach across the MPLS. Do I also need to add static routes for the MPLS networks on both sides as well?
-
@rustydusty1717 So you created a gateway as well? Can you ping across the MPLS - from pfsense to pfsense?
-
@michmoor correct I have my WAN gateway and then OPT as the 2nd gateway for the MPLS. I can ping the MPLS on the other end. Just can't reach anything on the LAN on other side. Wondering if my static routes are wrong or if I need to do anything with outbound NAT.
-
@rustydusty1717
Do you have firewall rules that state that your LAN can reach the network 192.168.60.0/24? What do those rules look likeAre you gateways UP?
Can you ping from your pfsense ? So log in to your pfsense via ssh. From the CLI initate a ping. so ping 192.168.60.1 [if thats an address on the other side[ -
@michmoor can ping the MPLS gateway on the other end however not the firewall or LAN on other end. It's not a pfsense/netgate unfortunately.
-
@rustydusty1717 Does the MPLS side have a route back?
-
@michmoor yes it does. Should outbound NAT be turned off?
-
@rustydusty1717 Whatever you are NATting to, the other side must know how to get back to that IP.
If this is a site 2 site link generally NAT wouldnt be needed but depends on your design.