Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site configuration in pfSense 2.0

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      keystonetech
      last edited by

      I've recently begun testing pfSense and have a goal of connecting two pfSense boxes together. One will have road warriors connecting to it , and the other is a corp. network firewall. I would like to configure it so that eventually the road warriors will be able to access all resources on the network behind the corp. firewall. For now, I have taken the road warriors out of the loop and would like a client connected directly to the outside pfSense box to be able to access all resources on the corp. LAN behind the other pfSense box.

      I've gotten the tunnel up and running with static routes in both directions, and can ping everything in both directions. The trouble I'm having is getting access to an internal website (and eventually file shares and domain controller, but one step at a time eh?). I've set up DNS Forwarding and if I try running the shell command host website.domain.com 192.168.15.1 (remote pfSense firewall) I get the response:
      Name: 192.168.15.1
      Address 192.168.15.1#53
      Aliases:

      website.domain.com has address 10.0.1.111 which is correct.

      However, I am unable to access the site through a web browser. Can anyone shed some light on what might be causing this? I've been focusing on it for quite a while so perhaps a second set of eyes would be helpful. I've attached a diagram of the configuration I'm using. At present, I'm trying to connect from a 192.168.15.x client (plugged in to LAN on the remote firewall) to the 10.0.1.111 server (web page host). Thanks for your assistance!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You shouldn't have static routes, use the "remote network" and/or route statements in OpenVPN's config to do the routing.

        Check the OpenVPN interface firewall rules on both sides, make sure all protocols are allowed

        Test connectivity in stages:

        From LAN1: Can you ping the OpenVPN IP on the remote site? The LAN IP of the remote router? A device on LAN2?
        And the reverse

        Ensure that the pfSense router is the gateway device for those systems, and that the subnet masks are proper on them.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K
          keystonetech
          last edited by

          Thanks jimp. I've removed the static routes and got the local network/remote network working properly for the most part. I am able to ping the remote gateway and the one computer behind it on the 192.168.15.x network from a client on the 10.0.1.x network. I am able to ping (and use the web interface for) the main gateway on 10.0.1.1 from the 192.168.1.15.x client. I can ping some clients on the inside of the main gateway, but not all of them. I'm not sure why that is yet, but I think I'm on the right track. Once I can ping the 10.0.1.111 hopefully I will be able to view the website it hosts. Will I need to configure DNS forwarding for that to work properly (once I can ping it)?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            If you can ping some and not others then the usual culprits are:

            • Local client firewalls (windows firewall, iptables, etc) on the system blocking traffic
            • The gateway or subnet mask on that specific system is not correct

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • K
              keystonetech
              last edited by

              That was it. Thanks again jimp! The box I was trying to ping had a 10.0.1.111 address but it's gateway was set to 10.0.2.254 which isn't part of the test environment. I switched that over and was able to ping and access the webpage from 192.168.15.10! Time for me to read up on DNS and file sharing!

              1 Reply Last reply Reply Quote 0
              • K
                keystonetech
                last edited by

                I've figured out the necessary DNS settings. On the outside firewall I turned on DNS forwarder and checked register DHCP leases in DNS forwarder and register DHCP static mappings in DNS forwarder. On the same system, I set the DNS server to be the internal firewall, using it's LAN IP of 10.0.1.1.

                On the internal firewall, I set the DNS servers to external DNS servers at DNS Advantage. I turned on DNS forwarder and checked both DHCP leases and static mappings on this as well. I then added a domain override for my internal domain that sends requests to the internal DNS server on the 10.0.1.x network. From the outside computer at 192.168.15.1 I am now able to access internal and external websites without a problem.

                Now on to file sharing!

                1 Reply Last reply Reply Quote 0
                • K
                  keystonetech
                  last edited by

                  I've got file sharing working. For those of you interested in this setup, what I did was start a WINS server on my DC computer in the 10.0.1.x network. Then on the outside firewall I added the WINS server IP, DNS server IP, domain name, and domain search list under services–>dhcp server-->LAN. After doing this I was able to resolve internal websites, and access network shares from a client computer on the 192.168.15.x network.

                  Now that the test setup is working, I'll try adding a few more client "sites" to the mix and see what happens if I expand the setup a bit.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.