[Solved] Cisco 1841 and static route

brian.huang · Aug 3, 2011, 2:40 AM

In order to bypass China's Great Censorship Firewall, we have an MPLS-VPN. In addition, we don't want it to go to our LAN. Following is the setup.

China (Cisco1841 MPLS-VPN 172.1.16.0/24) –-> Taiwan (Cisco 1841 MPLS-VPN 192.1.200.0/24) --> Taiwan(pfSense LAN 192.1.200.99)

A Squid Server is running on pfSense firewall. I can use it from 192.1.200.100. However, the main purpose is for people in China office to use squid. Therefore, on pfSense firewall, I use a static route:

172.1.16.0/32 --> 192.1.200.254 (gateway)

Is my configuration correct? Do I need more configurations?

jimp · Jul 28, 2011, 2:56 PM

You must route via a gateway in a subnet to which you have a direct connection.

So from 172.1.16.0, it would go to the default gateway there, and then from there you'd route that to the next hop over the VPN, whatever the IP of the router at Taiwan would be that it shares a subnet with on a tunnel/interface.

If it's an IPsec VPN, you'll have to add phase 2 definitions to direct the traffic into/across the VPN.

brian.huang · Jul 29, 2011, 6:58 AM

Thanks for your reply.
@jimp:

You must route via a gateway in a subnet to which you have a direct connection.

The pfSense LAN has an ip of 192.1.200.99 and connects directly to Cisco 1841 subnet as 192.1.200.0/24 via gateway 192.1.200.254

@jimp:

So from 172.1.16.0, it would go to the default gateway there, and then from there you'd route that to the next hop over the VPN, whatever the IP of the router at Taiwan would be that it shares a subnet with on a tunnel/interface.

The ISP company offers MPLS-VPN and route from China(172.1.16.0/24) to Taiwan(192.1.200.0/24). Do I need to do anything here? As described above, the pfSense LAN port connects directly to the Taiwan subnet 192.1.200.0/24 via gateway 192.1.200.254.

@jimp:

If it's an IPsec VPN, you'll have to add phase 2 definitions to direct the traffic into/across the VPN.

I was told that the connection between Taiwan and China is MPLS-VPN. How does the IPsec VPN fit in? Do I misunderstand your reply?

jimp · Jul 29, 2011, 11:37 AM

I have no idea what kind of VPN that is – you didn't say. I mentioned IPsec because it's one possibility.

Is there a subnet in common between China and Taiwan?

Metu69salemi · Jul 29, 2011, 11:42 AM

mpls is done by operators, but still some other vpn over it would be nice

something from wiki concerning mpls

brian.huang · Aug 3, 2011, 2:39 AM

@jimp:

I have no idea what kind of VPN that is – you didn't say. I mentioned IPsec because it's one possibility.

Is there a subnet in common between China and Taiwan?

Thank you for your hints. I had wrong knowledge about MPLS-VPN until learning from your comments. MPLS-VPN is not encrypted.

Problem solved. I added static routes like this:

China (Cisco 1841: 172.16.0.0/16 )–-->Taiwan (Cisco 1841: 192.1.200.0/24, GW192.1.200.254)--->pfSense+Squid (IP: 192.1.200.99)
Static route on pfSense: 172.16.0.0/16 --> 192.1.200.254

Thank you.

brian.huang · Aug 3, 2011, 1:54 PM

@Metu69salemi:

mpls is done by operators, but still some other vpn over it would be nice

something from wiki concerning mpls

Thanks for the link.