1. Home
  2. pfSense® Software
  3. IPsec
  4. Multiple subnets

Multiple subnets

  • U

    Hello
    I have a question, I don't know if it's allready been asked, but I couldn't find it

    I have 2 pfsense's running both 2.0.1-RELEASE version, who are connected to each other with a couple of IPSec tunnels the pfsense in the main building does have 14 nics all with their own subnet.
    The other pfsense has 6 NICS all also with own NICS.
    The tunnels are working, but only for the network (subnet) where it's bound to, but I want to reach the other subnets aswell..

    Here a small drawing:

    –-------      IPSEC        --------
    |  PF 1  |  --------------- | PF 2 |
    ---------                        --------
      |  |                                |  |
    192.168.40.0/24              192.168.41.0/24
          |                                  |
          |                                  |
        192.168.70.0/24              192.168.71.0/24

    There are 4 ipsec tunnels, 2 from PF1 -> PF2 and 2 from PF2 -> PF1
    PF1->PF2 Local:192.168.40.0/24 remote:192.168.41.0/24
    PF1->PF2 Local:192.168.70.0/24 remote:192.168.71.0/24
    PF2->PF1 Local:192.168.41.0/24 remote:192.168.40.0/24
    PF2->PF1 Local:192.168.71.0/24 remote:192.168.70.0/24

    When I'm on the 192.168.40.0/24 network I can reach the 192.168.41.0/24 but I can't reach the 192.168.71.0/24

    On both firewalls all traffic is allowed (for testing) and I have played with outbound NAT but only thing I could get working is ping pf2 it's own ip (192.168.71.254)

    On pf 1.x I would have made static routes, but in 2.0 you can only make a route to a gw, and you can't make a gateway wich is outside a subnet...

    How can this be configured?
    Thanks in advance

    0
  • C

    ahhhhgg! I've read about something like this somewhere and can't remember the answer, so someone may put me right in a minute.

    But first thought I had, did you try a second phase 2 across the phase 1 ipsec tunnel for the other networks?

    If I find the proper page or info I'll post it.  Check the wiki and do some searches…

    0
  • C

    Static routes can't and never have influenced IPsec. Just have to make sure you have a P2 with local and remote matching the traffic you want to go over the VPN.

    0
  • U

    I have fixed the problem, but still I think it's strange why it didn't work.
    What I did is I changed te subnets on pf2, I changed 192.168.41.0/24 to 192.168.140.0/24
    and 192.168.71.0/24 to 192.168.170.0/24.
    After that I did setup 2 tunnels on pf1 192.168.0.0/17 -> 192.168.128.0/17 and on pf2 192.168.128.0/17 -> 192.168.0.0/17
    This works perfect, no outbound nat adjustment needed, every subnet is reachable without changing any thing else on the ipsec settings and firewall rules.(they were allready setup right)
    In the old situation I had high pings and package loss (both pf's where connected with a cable of about 300meter) after the change ping was <1ms and no package loss anymore.

    What could this be? Some bad routing?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy