Inter-Vlan Routing Accross VPN
-
yes
-
I think the open-source full mesh vpn solution is TINC. I know its been talked to go into pfsense but not sure if its in the 2.1
I know it can have NAT issues, but people like you don't have NAT issues. I'm sorta surprised if its not already a package in 2.1 -
Yes, I know Lan is at layer 2. I don't plan on having the VLAN tags go across the VPN. The Layer 2 Vlans match up to Layer 3 Subnets (see my OP all of them are serperate subnets/vlan which would require routing, the vlans wouldn't match up for just tagging to work) anyway. All I need is to get all the subnets to be able to route across the VPN and use ACLs at each point to keep the correct subnets where they are suppose to be.
Also with my current config on my Cisco Routers I have A Multipoint VPN (I think it's technically called a Dynamic multi-point VPN) is there any feature like this in Pfsense, meaning that I don't have just one site being the server and the rest being clients (hub a spoke design) but all sites interconnect?
I'm sorry I misunderstood your post, I thought you were trying to get your vlans to persist across the VPN connection. I did see that you are using different vlans. I was thinking you wanted routing across all sites but just wanted to be sure. I think you would probably need a point to point at each site, it sounds kind of ugly but it would accomplish your task. This has me interested now though, it should be possible with out all the extra configs so I will make a mock setup and report back. If you need it down quickly I would do it the ugly way and then work on the routing through the main site. Might be better to make the mesh setup because that way you don't lose connection to the other sites if the main site goes down and also there is less un-needed processing on the router at your main site.
https://forum.openwrt.org/viewtopic.php?id=33678
Neat trick but I don't think this would work if you wanted to have multiple vlans go across a VPN Connection.
-
I'm sure soon someone will figure a way to build VLAN support smoothly into VPN of some flavour or another, but I'm not seeing it being easy yet.
-
Yes, I know Lan is at layer 2. I don't plan on having the VLAN tags go across the VPN. The Layer 2 Vlans match up to Layer 3 Subnets (see my OP all of them are serperate subnets/vlan which would require routing, the vlans wouldn't match up for just tagging to work) anyway. All I need is to get all the subnets to be able to route across the VPN and use ACLs at each point to keep the correct subnets where they are suppose to be.
Also with my current config on my Cisco Routers I have A Multipoint VPN (I think it's technically called a Dynamic multi-point VPN) is there any feature like this in Pfsense, meaning that I don't have just one site being the server and the rest being clients (hub a spoke design) but all sites interconnect?
I'm sorry I misunderstood your post, I thought you were trying to get your vlans to persist across the VPN connection. I did see that you are using different vlans. I was thinking you wanted routing across all sites but just wanted to be sure. I think you would probably need a point to point at each site, it sounds kind of ugly but it would accomplish your task. This has me interested now though, it should be possible with out all the extra configs so I will make a mock setup and report back. If you need it down quickly I would do it the ugly way and then work on the routing through the main site. Might be better to make the mesh setup because that way you don't lose connection to the other sites if the main site goes down and also there is less un-needed processing on the router at your main site.
https://forum.openwrt.org/viewtopic.php?id=33678
Neat trick but I don't think this would work if you wanted to have multiple vlans go across a VPN Connection.
I upgraded one of my boxes to 2.1RC0 and installed TINC (which I've never heard of before, granted I'm more of Cisco guy than an open source guy). I haven't tried it in practice yet, but It looks like it will pass all the subnets based on this anyway.
and TINC has firewall rules so you can allow subnets only to go to specific subnets.
Let's hope this works.
and then since TINC has firewall rules.
-
I'm sure soon someone will figure a way to build VLAN support smoothly into VPN of some flavour or another, but I'm not seeing it being easy yet.
L2VPN does this exactly, it provides no security itself though. and I don't believe pfsense does IPSEC l2vpn as of yet.
I never looked into it much, but I believe l2vpn would be similar to router-bridging. So it would mess with your broadcast domains and cause more than necessary traffic
-
I think that if you own a nice static public address at every site and don't hit NAT issues (you shouldn't) a full mesh network is good. It even has the added benifit of not laying all the bandwidth burden on one central server. In theory, should make things work alot faster and offer greater resiliency because nodes can go up and down without taking out the entire network. I've yet to install it, so please do let me know how it works for you.
-
Looking at your rule you are making there… Will you only be passing TCP? Because TCP is whats selected there.
I also don't know how automatic any rule creation is on the WAN when you use TINC in pfsense but I do know that there are some ports that have to be opened, either automatically or manually. 655 UDP and TCP for sure. -
Looking at your rule you are making there… Will you only be passing TCP? Because TCP is whats selected there.
Its blocking rule. and It was for example only. no port was configured either for that matter.
-
Yes. I see the block at the top now. Almost chopped, but not quite.
-
I'm not having any lucky with it yet. It installed easy though.
I have both boxes WAN port plugged into our current lan.
One Box set to 10.10.100.52
Second One 10.10.100.60Both Get internet traffic fine. But they can't ping each other which I assume is the problem. I did setup a rule on the WAN interface of both to allow ICMP from ANY to ANY.
This is the TINC log either one only shows itself right now. NAME changed to protect the innocent ;)
Statistics for Generic BSD tun device /dev/tun0:
total bytes in: 620
total bytes out: 900
Nodes:
NAME at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop NAME via NAME pmtu 1518 (min 0 max 1518)
End of nodes.
Edges:
End of edges.
Subnet list:
192.168.1.0/24#10 owner NAME
End of subnet list. -
You have your public IP NATed > pfsense boxes?
TINC doesn't like NAT. I assumed you would be setting this right against the public IP as the primary router/firewall so TINC would not be behind any NAT.
I'm not a TINC Expert or even TINC novice for that matter. I know a few people do chat about using it.
The guys at the last DEFCON were saying they use it for their Chaos Network. Maybe some of their grey hats would be willing to set you up.
(Kidding) - I hope you get it worked out. I might later find an excuse to use it, but not so far. -
They will each have Public IPs in practice.
however I need to do labs with them before I deploy them.
Too bad Pfsense doesn't have WIC cards like Cisco Router (hehe)
I've tried a cross-over cable between both boxes, with static WAN IPs (and even tried put the opposite one as the others Gateway)
Tried them on the same switch with etc.Nothing seems to work to make them talk over a fake WAN locally. This happens with any of the three VPN technologies currently. Any Ideas how to make them talk? I need to do some labs with time to make sure they will configure correctly before I just deploy them.
-
If you want to pretend they are in a Public IP environment, with no NAT screwing with them, try this.
Use a cheap off the shelf old router (like a linksys or belkin or whatever). Use DHCP.
Plug the WAN of each of your PFsense boxes into LAN ports on that router.
Now, they should each get a IP and they shouln't be behind NAT.
At this point they should be able to do whatever it is you are trying to make them do.
However, this assumes TINC is working correctly and your settings are correct.
I'm not sure what your LAN is like, but I know that a cheap dumb router should let you accomplish this.
(Disclaimer - I've never set up TINC, so no idea if the package works. My fingers are crossed) -
Just an Update, I could never get TINC working it try to connect and does for a few mintine or so, and then fails..
IPSEC works fine though.
To bad pfsense doesn't have this: http://sourceforge.net/projects/opennhrp/
-
I'm glad its working…
"NHRP, GRE and IPsec. It aims to be Cisco DMVPN compatible."
I've had many many bad experiences with GRE and I avoid it like the plague, but I'll take a look it this.
Are you still on pfsense then?
Other than simply "IPSEC" what other issues did you work out?
-
you know one other thing I didn't think about with TINC is the firewall may need to be opened on wan for port 655. all the other (Ipsec and OpenVPN) automatically do that, without creating rules but since tinc is not an official package it may not.. just a though. I'll check it again.
-
"the firewall may need to be opened on wan for port 655"
haha… I said that early on, but maybe it was lost in the clutter and frustration.
It happens.
-
I feel really dumb now.. The firewall rules was the only Issue with it not connecting. I'm going to play with the multiple subnets this weekend but it's looking promising. Seems to have much less over head than IPsec does too
-
To error is human… And a little funny when its someone else erroring :D
I feel your pain. I've been there.
For what its worth, you sound wicked smart and fast learner.