IPSEC+OPT1/LAN Bridge
-
Hi,
We've been running pfSense at work for quite a few years, we initially set it up to bridge our "building control" network to our lan. The lan has unrestricted access to the building network (OPT1) and they are configured as a bridge. The OPT1 interface has very limited access to the LAN, for example we allow UDP broadcast packets on a certain port through to the LAN as they are packets from our building control system.
It's worked fantastically.
However, the ability to VPN into the network from the WAN side has always been something that we'd like to do, especially with iPhones. Obviously pfSense 2.0 has a working implementation of IPSEC that plays nicely with the iPhone.
So, following various guides in here I successfully created an IPSEC configuration that allows my iPhone to connect. All good.
However, although I can see machines on the LAN, I cannot see any of the machines on the OPT1 side (anything on the bridge). I can't see any obvious answer as to why this would be, there doesn't appear to be anything in the logs saying that anything was explicitly blocked.
I'm not at work now, so I can't post any specifics of the configuration at the moment, I was just wondering if there are any "gotchas" that I should be aware of?
Our network is running in the 10.0.0.0/8 space, with our building control devices living on 10.0.X.X and lan side DHCP machines on 10.5.X.X and servers on 10.6.X.X, the exception is the pfSense machine that lives on 10.5.0.1. Our building control devices have a simple web page which just shows the state of their operating system, one of them lives on 10.0.0.1 and I can see this on my machine from the LAN without any issues, however, as soon as I VPN in I cannot see it anymore, I can however quite happily see the pfsense box or anything else on the LAN side.
I appreciate you'll probably need some more detailed configs, but I thought I'd start the ball rolling!
Thanks guys for a brilliant piece of software!
Adrian
P.S a real nice addition to the logs would be to see what rule caused a packet to be blocked, i.e if it was a default block by virtue of no pass rules or whether it was a specific rule that blocked it.
-
Hi,
We've been running pfSense at work for quite a few years, we initially set it up to bridge our "building control" network to our lan. The lan has unrestricted access to the building network (OPT1) and they are configured as a bridge. The OPT1 interface has very limited access to the LAN, for example we allow UDP broadcast packets on a certain port through to the LAN as they are packets from our building control system.
It's worked fantastically.
However, the ability to VPN into the network from the WAN side has always been something that we'd like to do, especially with iPhones. Obviously pfSense 2.0 has a working implementation of IPSEC that plays nicely with the iPhone.
So, following various guides in here I successfully created an IPSEC configuration that allows my iPhone to connect. All good.
However, although I can see machines on the LAN, I cannot see any of the machines on the OPT1 side (anything on the bridge). I can't see any obvious answer as to why this would be, there doesn't appear to be anything in the logs saying that anything was explicitly blocked.
I'm not at work now, so I can't post any specifics of the configuration at the moment, I was just wondering if there are any "gotchas" that I should be aware of?
Our network is running in the 10.0.0.0/8 space, with our building control devices living on 10.0.X.X and lan side DHCP machines on 10.5.X.X and servers on 10.6.X.X, the exception is the pfSense machine that lives on 10.5.0.1. Our building control devices have a simple web page which just shows the state of their operating system, one of them lives on 10.0.0.1 and I can see this on my machine from the LAN without any issues, however, as soon as I VPN in I cannot see it anymore, I can however quite happily see the pfsense box or anything else on the LAN side.
I appreciate you'll probably need some more detailed configs, but I thought I'd start the ball rolling!
Thanks guys for a brilliant piece of software!
Sounds like a big mess. Though if your subnet masks everywhere, including the phase 2 bits of the IPsec config, are /8 (255.0.0.0) it should work.
P.S a real nice addition to the logs would be to see what rule caused a packet to be blocked, i.e if it was a default block by virtue of no pass rules or whether it was a specific rule that blocked it.
It already does. Click the action icon (red/yellow X, green arrow).
