Site to site - multiple subnets


  • Hi all

    I'm currently running a site to site setup with different subnet each side (Site A - 10.54.100.0/23, Site B - 10.54.110.0/23) and i've been asked if we could use an other subnet, same for both sites (Site A,B - 10.54.120.0/24 & 10.54.121.0/24) in order to run StarWind iSCSI SAN High Availability.
    Basically, it looks like this:

    / 10.54.100.0/23 (currently up&running)
    Site A >> OpenVPN –new 10.54.120.0/24 (or /23 but i dont know if the software accept this config)
                      |      \ new 10.54.121.0/24
                      |
                  Internet
                      | 
                      |      / 10.54.121.0/24
    Site B >> OpenVPN --new 10.54.120.0/24 (or /23 but i dont know if the software accept this config)
                              \ new 10.54.110.0/23 (currently up&running)

    What do you suggest?

    PS:

    • 120 & 121 doesn;t need any peering with other subnets
    • can i use VPN Tunnel Network eg 10.0.8.0/23? if yes, any hint will be helpful
    • currently subnets can't be modified (100 & 110)

    Thanks in advance

    Bugo
    SysAdmin


  • @Bugo:

    / 10.54.100.0/23 (currently up&running)
    Site A >> OpenVPN –new 10.54.120.0/24 (or /23 but i dont know if the software accept this config)
                       |       \ new 10.54.121.0/24
                       |
                  Internet
                       | 
                       |       / 10.54.121.0/24
    Site B >> OpenVPN --new 10.54.120.0/24 (or /23 but i dont know if the software accept this config)
                               \ new 10.54.110.0/23 (currently up&running)

    I guess you do not mean to have 10.54.120.0/24 and 10.54.121.0/24 on both sites? If you need a subnet at 2 sites, then you will have to use TAP mode on an OpenVPN connection to bridge the subnet across the sites.
    If you do not need lots of addresses, then I would use the KISS principle - and use /24 subnet masks. It is easier for mortals to understand.
    If you can have the systems at each site in a different subnet, then something like:

                         / 10.54.100.0/23 (currently up&running)
    Site A >> OpenVPN --new 10.54.120.0/24
                       |
                       |
                  Internet
                       |  OpenVPN TUN 10.n.n.n/24 (whatever your current tunnel subnet is)
                       |
    Site B >> OpenVPN --new 10.54.121.0/24
                               \ 10.54.110.0/23 (currently up&running)
    
    

    I guess that you already have an OpenVPN tunnel between the sites. You can use that. In the Advanced box, just tell the OpenVPN tunnel about the extra network at the other end:
    In Site A OpenVPN Advanced put:

    route 10.54.121.0 255.255.255.0
    

    In Site B OpenVPN Advanced put:

    route 10.54.120.0 255.255.255.0
    

    Make sure that your Firewall Rule/s on OpenVPN allow the new subnets (many people already have an allow all rule on their internal site-to-site OpenVPNs).
    When you add the new interfaces/subnets on each end, make sure to add Firewall Rules on those interfaces to allow the traffic.


  • Thanks for quick response.

    @phil.davis:

    If you need a subnet at 2 sites, then you will have to use TAP mode on an OpenVPN connection to bridge the subnet across the sites.

    This is what i need and already tried, but no results - same subnet on both sites (if this would work, then i'll use 2 subnets as bellow, but to be short, let;s say just one at this time). Check this guide http://www.vuemuer.it/en/?p=3563

    So, to summaries:

    • VPN 1 Tun mode site to site which works great and going to running for always
    • VPN 2 Tap bridge for a new LAN (10.54.120.0/whatever - need only 6 ip's). I tried to bridge new LAN interface with VPN2 interface (Site a runs 10.54.120.1 gateway and Site B runs 10.54.120.254 gateway, cause identical gw it;s illogical to work or am i wrong?). All ports are opened firewall at A&B for both interfaces. The two gateways can ping each other, but not there it stops.

    Site A >> VPN 1 –10.54.100.0/22
                      |
              TUN 10.0.8.0/24
                      |
    Site B >> VPN 1 -- 10.54.110.0/23

    Site A >> VPN 2 --new 10.54.120.0/24 >> GW 10.54.120.1 >> clients 10.54.120.10,11,12
                      |
              TAP 10.0.9.0/24
                      |
    Site B >> VPN 2 --new 10.54.120.0/24 >> GW 10.54.120.254 >> clients 10.54.120.13,14,15

    It will be nice if i can combine those 2 VPNs in one, but in a later episode :)


  • @Bugo:

    The two gateways can ping each other, but not there it stops.

    Sry for my English. I was trying to say that i can ping ovpn interfaces, not LAN to LAN.

    Looks like the bridge doesn't work between 2 esxi boxes (i use virtualized pfsense on each site with promisc mode on). Can someone confirm this issue or any clue where to start looking for a solution? What do i missed?
    I've discovered this after a different approach: successful bridge mode using an esxi on site 1 and a physical machine on site 2. It works with every version - 2.0.1/2.0.2/2.1beta same config as previous failed tests.

    Tks


  • Problem solved:

    • reinstalled both ESXi machines (promisc mode on)
    • reinstalled both VM pfSense (2.1beta i386)
    • configured OVPN bridge (tap) first > works ok
    • configured OVPN tunnel (tun)
    • all working smoothly

    I should've done this from the begging, not trying to fix anything was broke.

    This topic can be closed.

    Thanks again