Site-to-Site configuration in pfSense 2.0
I've recently begun testing pfSense and have a goal of connecting two pfSense boxes together. One will have road warriors connecting to it , and the other is a corp. network firewall. I would like to configure it so that eventually the road warriors will be able to access all resources on the network behind the corp. firewall. For now, I have taken the road warriors out of the loop and would like a client connected directly to the outside pfSense box to be able to access all resources on the corp. LAN behind the other pfSense box.
I've gotten the tunnel up and running with static routes in both directions, and can ping everything in both directions. The trouble I'm having is getting access to an internal website (and eventually file shares and domain controller, but one step at a time eh?). I've set up DNS Forwarding and if I try running the shell command host website.domain.com 192.168.15.1 (remote pfSense firewall) I get the response:
website.domain.com has address 10.0.1.111 which is correct.
However, I am unable to access the site through a web browser. Can anyone shed some light on what might be causing this? I've been focusing on it for quite a while so perhaps a second set of eyes would be helpful. I've attached a diagram of the configuration I'm using. At present, I'm trying to connect from a 192.168.15.x client (plugged in to LAN on the remote firewall) to the 10.0.1.111 server (web page host). Thanks for your assistance!
You shouldn't have static routes, use the "remote network" and/or route statements in OpenVPN's config to do the routing.
Check the OpenVPN interface firewall rules on both sides, make sure all protocols are allowed
Test connectivity in stages:
From LAN1: Can you ping the OpenVPN IP on the remote site? The LAN IP of the remote router? A device on LAN2?
And the reverse
Ensure that the pfSense router is the gateway device for those systems, and that the subnet masks are proper on them.
Thanks jimp. I've removed the static routes and got the local network/remote network working properly for the most part. I am able to ping the remote gateway and the one computer behind it on the 192.168.15.x network from a client on the 10.0.1.x network. I am able to ping (and use the web interface for) the main gateway on 10.0.1.1 from the 192.168.1.15.x client. I can ping some clients on the inside of the main gateway, but not all of them. I'm not sure why that is yet, but I think I'm on the right track. Once I can ping the 10.0.1.111 hopefully I will be able to view the website it hosts. Will I need to configure DNS forwarding for that to work properly (once I can ping it)?
If you can ping some and not others then the usual culprits are:
- Local client firewalls (windows firewall, iptables, etc) on the system blocking traffic
- The gateway or subnet mask on that specific system is not correct
That was it. Thanks again jimp! The box I was trying to ping had a 10.0.1.111 address but it's gateway was set to 10.0.2.254 which isn't part of the test environment. I switched that over and was able to ping and access the webpage from 192.168.15.10! Time for me to read up on DNS and file sharing!
I've figured out the necessary DNS settings. On the outside firewall I turned on DNS forwarder and checked register DHCP leases in DNS forwarder and register DHCP static mappings in DNS forwarder. On the same system, I set the DNS server to be the internal firewall, using it's LAN IP of 10.0.1.1.
On the internal firewall, I set the DNS servers to external DNS servers at DNS Advantage. I turned on DNS forwarder and checked both DHCP leases and static mappings on this as well. I then added a domain override for my internal domain that sends requests to the internal DNS server on the 10.0.1.x network. From the outside computer at 192.168.15.1 I am now able to access internal and external websites without a problem.
Now on to file sharing!
I've got file sharing working. For those of you interested in this setup, what I did was start a WINS server on my DC computer in the 10.0.1.x network. Then on the outside firewall I added the WINS server IP, DNS server IP, domain name, and domain search list under services–>dhcp server-->LAN. After doing this I was able to resolve internal websites, and access network shares from a client computer on the 192.168.15.x network.
Now that the test setup is working, I'll try adding a few more client "sites" to the mix and see what happens if I expand the setup a bit.