• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Site2Site VPN with IP-based routing (no subnet)

Scheduled Pinned Locked Moved IPsec
4 Posts 4 Posters 287 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    itBJA
    last edited by Mar 12, 2025, 7:28 AM

    Hi,
    I have the challenge, that most of our systems will migrate to a different comuting centre, some will stay on premises.
    As my predecessor only used IP-addresses to configure the connections between the systems, for services to listen etc. it is not possible for me, to change the IP-subnet neither for the systems to be migrated nor for the systems staying on premises.

    So I need to set up the VPN-Tunnel to the remote site like
    172.16.84.1 - 172.16.84.98 as remote net and also 172.16.84.92 - 172.16.84.254
    Just an example.

    How can I realize this without adding every IP to the routing as single address?
    Can I use Aliases here?

    Firewall on premises will be a 8200 Max PFSense, remote side is either AWS internal VPN or PFSense virtualized.

    V K 2 Replies Last reply Mar 12, 2025, 9:31 PM Reply Quote 0
    • V
      viragomann @itBJA
      last edited by Mar 12, 2025, 9:31 PM

      @itBJA said in Site2Site VPN with IP-based routing (no subnet):

      So I need to set up the VPN-Tunnel to the remote site like
      172.16.84.1 - 172.16.84.98 as remote net and also 172.16.84.92 - 172.16.84.254

      You have to embody this with multiple subnets.

      Just an example.

      So there is no sense to try it.

      Alternatively, if there are equal network ranges on both site you can masquerade one with BINAT.

      1 Reply Last reply Reply Quote 0
      • K
        keyser Rebel Alliance @itBJA
        last edited by keyser Mar 12, 2025, 9:51 PM Mar 12, 2025, 9:51 PM

        @itBJA You can’t do that as any given client will no use it’s default gateway to reach an IP it believes is in its own subnet - routing will never come into play. So unless you can change the subnet mask - and happen to be in the situation that what you are moving happens to be fx. The upper 128 addresses of the range, then it won’t work.

        Neither will Binat masqerading if the applications residing on both sides of the VPN are hardcoded to contact the same IP subnet as they themselves are located in.

        You should probably look into a OpenVPN TAP based VPN tunnel as that extends your layer two across two sites. But don’t expect miracles, and it will likely not work with a latency prone distance/link….
        It goes without saying that is POOR network design to use such an abomination, but sometimes life leaves you no other options….

        Love the no fuss of using the official appliances :-)

        1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance
          last edited by Mar 12, 2025, 10:11 PM

          Seems like a perfectly good use case for Tailscale

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received