Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site2Site VPN with IP-based routing (no subnet)

    Scheduled Pinned Locked Moved IPsec
    4 Posts 4 Posters 152 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      itBJA
      last edited by

      Hi,
      I have the challenge, that most of our systems will migrate to a different comuting centre, some will stay on premises.
      As my predecessor only used IP-addresses to configure the connections between the systems, for services to listen etc. it is not possible for me, to change the IP-subnet neither for the systems to be migrated nor for the systems staying on premises.

      So I need to set up the VPN-Tunnel to the remote site like
      172.16.84.1 - 172.16.84.98 as remote net and also 172.16.84.92 - 172.16.84.254
      Just an example.

      How can I realize this without adding every IP to the routing as single address?
      Can I use Aliases here?

      Firewall on premises will be a 8200 Max PFSense, remote side is either AWS internal VPN or PFSense virtualized.

      V keyserK 2 Replies Last reply Reply Quote 0
      • V
        viragomann @itBJA
        last edited by

        @itBJA said in Site2Site VPN with IP-based routing (no subnet):

        So I need to set up the VPN-Tunnel to the remote site like
        172.16.84.1 - 172.16.84.98 as remote net and also 172.16.84.92 - 172.16.84.254

        You have to embody this with multiple subnets.

        Just an example.

        So there is no sense to try it.

        Alternatively, if there are equal network ranges on both site you can masquerade one with BINAT.

        1 Reply Last reply Reply Quote 0
        • keyserK
          keyser Rebel Alliance @itBJA
          last edited by keyser

          @itBJA You can’t do that as any given client will no use it’s default gateway to reach an IP it believes is in its own subnet - routing will never come into play. So unless you can change the subnet mask - and happen to be in the situation that what you are moving happens to be fx. The upper 128 addresses of the range, then it won’t work.

          Neither will Binat masqerading if the applications residing on both sides of the VPN are hardcoded to contact the same IP subnet as they themselves are located in.

          You should probably look into a OpenVPN TAP based VPN tunnel as that extends your layer two across two sites. But don’t expect miracles, and it will likely not work with a latency prone distance/link….
          It goes without saying that is POOR network design to use such an abomination, but sometimes life leaves you no other options….

          Love the no fuss of using the official appliances :-)

          1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance
            last edited by

            Seems like a perfectly good use case for Tailscale

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.