Inter-Vlan Routing Accross VPN
-
You have your public IP NATed > pfsense boxes?
TINC doesn't like NAT. I assumed you would be setting this right against the public IP as the primary router/firewall so TINC would not be behind any NAT.
I'm not a TINC Expert or even TINC novice for that matter. I know a few people do chat about using it.
The guys at the last DEFCON were saying they use it for their Chaos Network. Maybe some of their grey hats would be willing to set you up.
(Kidding) - I hope you get it worked out. I might later find an excuse to use it, but not so far. -
They will each have Public IPs in practice.
however I need to do labs with them before I deploy them.
Too bad Pfsense doesn't have WIC cards like Cisco Router (hehe)
I've tried a cross-over cable between both boxes, with static WAN IPs (and even tried put the opposite one as the others Gateway)
Tried them on the same switch with etc.Nothing seems to work to make them talk over a fake WAN locally. This happens with any of the three VPN technologies currently. Any Ideas how to make them talk? I need to do some labs with time to make sure they will configure correctly before I just deploy them.
-
If you want to pretend they are in a Public IP environment, with no NAT screwing with them, try this.
Use a cheap off the shelf old router (like a linksys or belkin or whatever). Use DHCP.
Plug the WAN of each of your PFsense boxes into LAN ports on that router.
Now, they should each get a IP and they shouln't be behind NAT.
At this point they should be able to do whatever it is you are trying to make them do.
However, this assumes TINC is working correctly and your settings are correct.
I'm not sure what your LAN is like, but I know that a cheap dumb router should let you accomplish this.
(Disclaimer - I've never set up TINC, so no idea if the package works. My fingers are crossed) -
Just an Update, I could never get TINC working it try to connect and does for a few mintine or so, and then fails..
IPSEC works fine though.
To bad pfsense doesn't have this: http://sourceforge.net/projects/opennhrp/
-
I'm glad its working…
"NHRP, GRE and IPsec. It aims to be Cisco DMVPN compatible."
I've had many many bad experiences with GRE and I avoid it like the plague, but I'll take a look it this.
Are you still on pfsense then?
Other than simply "IPSEC" what other issues did you work out?
-
you know one other thing I didn't think about with TINC is the firewall may need to be opened on wan for port 655. all the other (Ipsec and OpenVPN) automatically do that, without creating rules but since tinc is not an official package it may not.. just a though. I'll check it again.
-
"the firewall may need to be opened on wan for port 655"
haha… I said that early on, but maybe it was lost in the clutter and frustration.
It happens.
-
I feel really dumb now.. The firewall rules was the only Issue with it not connecting. I'm going to play with the multiple subnets this weekend but it's looking promising. Seems to have much less over head than IPsec does too
-
To error is human… And a little funny when its someone else erroring :D
I feel your pain. I've been there.
For what its worth, you sound wicked smart and fast learner.
-
FYI, this is working great It's been in production for a while now. Great throughput even over TINC VPN
now the only thing I wish I could figure out is how to get Pfsense to do local dns lookup for dhcp client that don't specify a domain, just a hostname.
-
Services > DNS forwarder
Options there don't get you what you want?
-
It works if I do an NSlookup/ping for Computer.localdomain but just computer does not work. if I do the nslookup or ping from pfsense itself it works with just the computer hostname.
-
I wonder if a ubuntu machine with Samba 4.0 set up as a WINs server would help?
-
Oh yeah I fogort how DNS works there :)
I wonder if there is a pre-made WINS Server VM for ESXI lol.
-
Probably - But its stupid easy to make your own and you have demonstrated the ability. I think it would be a piece of cake for you. Just set it up to act as your DC.
-
I only needed DNS to work from Staff Vlans -> Public and not vice versa. Our staff vlan doesn't use pfsense for DHCP/DNS it uses our domain controllers
So what I did was.
Make each pfsense box a different domain so they would be appended different dns suffixes to the hostnames
On the DNS Server on the domain controllers I setup conditional forwarders for Pfsense domain
and In Group Policy Set DNS Suffix Search List to a comma seperated list with our Windows Domain being first and the pfsense domains after. -
That sounds fun… Did it work?
-
It's working great so far. Sadly, if I intergted to sync between DNS Server/Active Directory it fails, but if I put it manually on each of them it works fine.
-
jfinnigan, I have a few setup related questions about tinc.
Under VPN –> Tinc --> Hosts
Should the public key be the same as the one used in the Config section? -
The ones under Hosts should be the public key from the other Hosts you are connecting too, not the same as the public key you configured on that box. (for security all hosts should use different public/private keys)