How to setup point to point Line

lovingaditya28

Hi Experts

We have taken a point to point line between two offices in different locations and now want to setup this point to point line with pfsense but not sure how to achieve this goal.

We have pf sense at both Offices with Switch 2960.

can you please suggest how to configure point to point line. Site A has Local Subnet 192.168.1.x/24 and Site B has Local Subnet 192.168.2.x/24

Looking forward for your valuable suggestions.

thanks
Pankaj

cmb

Depends on what kind of point to point line it is. If it's basically end to end Ethernet, best to setup a dedicated NIC on the firewall on both sides, put a unique IP subnet on that link itself, and setup static routes on each end to point the remote network's subnet to the remote location's firewall IP. If it's one where the provider has a router in the middle, like with MPLS, that's similar but you'll have to configure the NIC on the firewall on each end on the appropriate subnet provided by the provider.

lovingaditya28

Thanks for quick response CMB,

Its Point to point line where ISP has provide a switch like device having 4 Ethernet ports. So looks like this is a End to End Ethernet.
So then as per your suggestion i would terminate ethernet cables into second NIC on both the firewalls the  i will have to configure Interface with a statis IP and allow traffic for both the subnets?

Please explain with example as i have never done this before for this type of scenario.

Thanks in advance
Pankaj

dreamslacker

If you're confident that the point to point link is a pure end to end ethernet type connection such as with Metro-E, then you just need to add one more NIC to each pfsense box.

Assign the additional NIC on each pfSense box as OPT1.

Determine a small subnet to use for this link.  e.g. 10.0.1.0/28

Now configure each OPT1 connection with a unique static IP within that subnet.

Following the example:
Office 1 OPT1 has interface address 10.0.1.1/28 with Gateway 10.0.1.2
Office 2 OPT1 has interface address 10.0.1.2/28 with Gateway 10.0.1.1

Furthermore, you need to configure static routes.
Hence:
Under System -> Routing -> Routes:
Office 1 has Static route as such:
Destination Subnet:  192.168.2.0/24
Gateway:  10.0.1.2

and Office 2 has Static route as follows:
Destination Subnet:  192.168.1.0/24
Gateway:  10.0.1.1

Then head over to Firewall -> Rules -> OPT1 tab.

For office 1:
Add a rule to Allow ANY Protocol, Source subnet: LAN Subnet, Destination Subnet: 192.168.2.0/24.

For office 2:
Add a rule to Allow ANY Protocol, Source subnet: Lan Subnet, Destination Subnet: 192.168.1.0/24.

lovingaditya28

Thanks a tone for step by step guidline.

As per ISP "this is a 10Mbit/s Point to Point circuit, there are no IP addresses associated. At both ends, the ports will be configured to 10BaseT, Full Duplex. The circuit routed over MSP from the UK to Colt Node in other end, and then picks up a leased line to the ‘B’ end"

So i this is a point to point ethernet circuit. I will give atry to configure as per your suggestions this week end and keep you posted…

Thanks
Pankaj

lovingaditya28

Hi dreamslacker
I did the setup as per your guidlilnes and now i can ping both the OPT interfaces from each other, however i am not able to ling the lan Net, i have added rules under OPT interface as per sequesnce you mentioned.
Please suggest which rule i am missing…

stephenw10

Either you firewall rules are wrong in which case you should see entries in the firewall log(s) or your static routes aren't working correctly.
Can you ping from the pfSense machines themselves? If the routing isn't working you should see 'no route' or a similar error.

Steve

lovingaditya28

@dreamslacker:

If you're confident that the point to point link is a pure end to end ethernet type connection such as with Metro-E, then you just need to add one more NIC to each pfsense box.

Assign the additional NIC on each pfSense box as OPT1.

Determine a small subnet to use for this link.  e.g. 10.0.1.0/28

Now configure each OPT1 connection with a unique static IP within that subnet.

Following the example:
Office 1 OPT1 has interface address 10.0.1.1/28 with Gateway 10.0.1.2
Office 2 OPT1 has interface address 10.0.1.2/28 with Gateway 10.0.1.1

Furthermore, you need to configure static routes.
Hence:
Under System -> Routing -> Routes:
Office 1 has Static route as such:
Destination Subnet:  192.168.2.0/24
Gateway:  10.0.1.2

and Office 2 has Static route as follows:
Destination Subnet:  192.168.1.0/24
Gateway:  10.0.1.1

Then head over to Firewall -> Rules -> OPT1 tab.

For office 1:
Add a rule to Allow ANY Protocol, Source subnet: LAN Subnet, Destination Subnet: 192.168.2.0/24.

For office 2:
Add a rule to Allow ANY Protocol, Source subnet: Lan Subnet, Destination Subnet: 192.168.1.0/24.

Thanks

Hi
Thanks a lot for your valuable inputs, i have successfully setup point to point line.
The only thing which wasted my some time was that once we setup both the firewalls, after that we need to reboot both of them.
I hope this will be helpfull for sopmepne ion future

lovingaditya28

@dreamslacker:

If you're confident that the point to point link is a pure end to end ethernet type connection such as with Metro-E, then you just need to add one more NIC to each pfsense box.

Assign the additional NIC on each pfSense box as OPT1.

Determine a small subnet to use for this link.  e.g. 10.0.1.0/28

Now configure each OPT1 connection with a unique static IP within that subnet.

Following the example:
Office 1 OPT1 has interface address 10.0.1.1/28 with Gateway 10.0.1.2
Office 2 OPT1 has interface address 10.0.1.2/28 with Gateway 10.0.1.1

Furthermore, you need to configure static routes.
Hence:
Under System -> Routing -> Routes:
Office 1 has Static route as such:
Destination Subnet:  192.168.2.0/24
Gateway:  10.0.1.2

and Office 2 has Static route as follows:
Destination Subnet:  192.168.1.0/24
Gateway:  10.0.1.1

Then head over to Firewall -> Rules -> OPT1 tab.

For office 1:
Add a rule to Allow ANY Protocol, Source subnet: LAN Subnet, Destination Subnet: 192.168.2.0/24.

For office 2:
Add a rule to Allow ANY Protocol, Source subnet: Lan Subnet, Destination Subnet: 192.168.1.0/24.

Hi

Now i am experiencing issue with UDP packets. we have a SIP device on 192.168.2.x side and SIP server on 192.168.1.x side.
now udp packets are not goinf across properly resulting other end is not able to hear the voice.

Any idea what additional rule i need to add.

thanks i advance

stephenw10

If you have ANY protocol in your rules that includes UDP.
Are you seeing anything in the firewall logs at either end?

Are you seeing no UDP at all or just some packet loss?

Steve

lovingaditya28

@stephenw10:

If you have ANY protocol in your rules that includes UDP.
Are you seeing anything in the firewall logs at either end?

Are you seeing no UDP at all or just some packet loss?

Steve

Thanks for quick response Steve,
For more information:

VoIP Phone1 –--> Cisco 2960 ---> pfsense1 Firewall <---------point to point link ----------> pfsense2 Firewall ----> Cisco 2960 ----> VoIP Server

VoIP Phone1: 192.168.2.100
pfsense1: LAN-192.168.2.1, WAN-Dynamic & WAN2-10.0.5.2 with gateway 10.0.5.1(one end of point to point)
pfsense static route: 192.168.1.0 via 10.0.5.2

pfsense2: LAN-192.168.1.1, WAN-Dynamic & WAN2-10.0.5.1 with gateway 10.0.5.2 (one end of point to point)
pfsense static route: 192.168.2.0 via 10.0.5.1
VoIP Server 192.168.1.5

The problem I am facing is that VoIP server is not able to detect the IP address of the VoIP phone on the other side of the point to point connection. How can you over come this NAT issue, unfortunately the VoIP Server doesn't provide many configureable options.

stephenw10

Yet other services work across the link?
I am inexperienced with VoIP so may not be of much help.  :(
Have you read this?: http://doc.pfsense.org/index.php/VoIP_Configuration

Steve

dreamslacker

It's a NAT issue.  He needs to set static port NAT for the SIP traffic.

stephenw10

Is there any reason to be NATing across the PTP link?

Steve

lovingaditya28

@stephenw10:

Is there any reason to be NATing across the PTP link?

Steve

Thanks Everyone for your response
Actual problem is that with point to point line evrything is accesible except voip phone.
The issue with voip phone is that two voip phoe are not working at the same time while one is working.
so probably voip server is not able to identify the sip/udp packet source from other end thats why it intrects with one voip phone.

can anyone suggest please how to pass voip phone info to voip server on other end.

stephenw10

From your description it sounds exactly like the situation described in the docs.
pfSense 2 (you are using 2 right?) is NATing traffic across the PTP link, that is the default behaviour when using an interface with a gateway so all traffic appears to be coming from one IP. You setup the first call and that uses source port 5060 which works fine. You try to make a second call and pfSense re-writes the source port as 5060 is already in use. Your VoIP equipment can't deal with re-written source ports.

Two solutions as I see it.
1. Use the siproxd package as suggested in the docs.
2. Disable NAT across the link and just route traffic. See: http://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F Obviously you would still require rules to keep NAT on your WAN interface.

Disabling NAT may also help other stuff that doesn't like NAT and it's quick and easy to do. That's what I'd try first but I'm coming from almost no VoIP experience!  ;)

Steve