Multi-VPN to one Site



  • Hi,

    I've got a question.
    I have SiteA and SiteB.
    They are already connected by a VPN.

    But now I wanted to add a second, much faster connection for some protocols like http.
    Is that possible?
    Because than there are two routes to one Subnet.

    Lets say SiteA is 10.10.1.0 and Site B is 10.10.2.0

    Now the route is at SiteA 10.10.2.0 through Router1 (it is the VPN Router)
    But how to say: 10.10.2.0 HTTP Traffic through Router2 (it would be the 2nd VPN Router) ?

    The first VPN is done by hardware. The second I want to do by VPN, while the pfsense should route the traffic.
    One default route for everything, and one route (higher priority for only some protocols)

    Is it possible?

    I mean when there is a default route to 10.10.2.0, has the firewall rule for http through gateway X than a higher priority or is it than not working?

    Many thx.




  • I did not do that but it should work like this:

    You must assign the VPN2 as an interface on both sites. Then you can create firewall rules on your LAN interfaces and select VPN2 as gateway for this traffic. Then it should work.

    Another possibility I would think about and which was tested and explained here somewhere in the forum is to use a routing protocol like OSPF or Quagga. There you would activate OSP on both pfsense on teh VPN interfaces and then it will do some kind of LoadBalancing between both pfsense using both VPN1 and VPN2. This would help you with all protocols.

    Good Luck!



  • Ok thanks,

    the first thing is not working. When I setup the same subnet on Site B VPN2, the VPN stops working, when I change it to a not used one, it is working again.

    Hm, I have to test these dynamic routes than.

    THANKS :)



  • @hans2k6:

    Ok thanks,

    the first thing is not working. When I setup the same subnet on Site B VPN2, the VPN stops working, when I change it to a not used one, it is working again.

    Hm, I have to test these dynamic routes than.

    THANKS :)

    Hi,

    I do not mean you have to use the same subnet on both sites. This will of course not work.

    On site A you have OpenVPN-Server1 (VPN1) running and on site B you have OpenVPN-Client1 (VPN1) running.
    Now you added on site A a second OpenVPN-Server2 (VPN2) and on Site B a second OpenVPN-Client2 (VPN).

    So if this configuration is up and running you cannot do policy based routing and redirect your https through VPN2 connection. So you need to assign an interface with typ "none" - if I remember correct - for OpenVPN-Server2 and OpenVPN-Client2. Then you can use this interface as gateway in your firewall rules.

    And if you try to use dynamic routing then you need to assign interfaces for OpenVPN-Server1 and OpenVPN-Client1, too, if I remember correct.

    :)



  • ~~Ok, missunderstanding.
    Of course I have not the same IPs in the VPN.

    The moste easiest way would be if I would be able to setup a failover route.

    For example:
    10.10.2.0 through 192…..1
    and
    10.10.2.0 trough 192......2

    for example.

    Even more easy would be, If I could use GW-Groups levels for doing that.
    Then I would have a failover and I would route everything first through the first then when its down the second gateway.

    But I will try it again with your ideas in the post,
    because before I added the vpn as DHCP Intereface.
    Maybe this was my mistake.~~

    THANKS :)

    EDIT:
    Ok, I think I can make it work through RULES (with GW) instead of ROUTES
    But when I configure an Interface (opt2) with the openVPN Connection (ipv4 none) than the RULE is NOT working. It is going through the default route