Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 FW/ Gateways, 2 VPNs - 1 netwo - not all systems accessible pending on gateway

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SysIT
      last edited by

      Hello all,

      I think i have a..unique situation here, unique for someone clueless in somethings apparently.

      To lay it out, we are migrating from our old network to a new network, mainly a new firewall and ISP, same LAN and internal ranges.

      Old network
      FreeBSD firewall as the main FW/Gateway  LANIP 10.0.2.1
      LAN IP Range 10.0.0.1/24

      New PFSense Firewall  LANIP 10.0.2.254
      LAN IP Range  10.0.0.1/24  - same range

      We have static IP's set on all servers, basically all iam doing is changing the Gateway from 10.0.2.1 to 10.0.2.254 on systems i am moving over to our new network, the new network is also on a new ISP as well.

      The issue i am having is this. We have a VPN connection which goes through the old firewall network, however via that VPN connection FressBSD, you can not RDC into systems with the gateway set for the new PFSense server , 10.0.2.254

      And vice versa, systems with the gateway 10.0.2.1 can not be accessed via the PFSense VPN.

      I know this is a routing issue i didn't configure right but not sure where.

      I have VLAN's with in my pfsense all bound to igb3 , LAN physical interface, since the VLAN's have their own ranges and we assign by static IP's, my igb3 has no IP set on it.

      Not sure if this could be the issue or not, but wanted to get some input first

      ¸,ø¤°`°¤ø,¸© Poor Planning On Your Part Does Not Constitute An Emergency On My Part ©¸,ø¤°`°¤ø,¸
      ¸,ø¤°`°¤ø,¸© The trouble with life is there’s no background music ©¸,ø¤°`°¤ø,¸
      ¸,ø¤°`°¤ø,¸© Life isnt short, you're just dead for too long©¸,ø¤°`°¤ø,¸

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        This is normal behavior. It is supposed to be that way. it's how routing works ;)

        1)VPNUSER01 sends packet through BSD to LANPC01.
        2)LANPC01 wants to send packet back to VPNUSER01. VPNUSER01 is located in a different subnet; LANPC01 has no static route for that subnet; LANPC01 sends packet to default gateway. (PFsense)

        every possible "routing" fix for this will be an ugly hack involving static routes on your lan-devices to particular vpn subnets, or static routes on both BSD&Pfsense.

        can't you just RDP to a device within subnet with correct GW | then RDP from there to the next device ?

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          every possible "routing" fix for this will be an ugly hack involving static routes on your lan-devices to particular vpn subnets, or static routes on both BSD&Pfsense

          Yes, what heper said.
          Your other possibilities:

          1. Migrate everything this weekend and switch off the old router - this is always my preferred solution, be the "network/system manager from hell", cut it all over quick and just wait for what goes wrong and fix it quickly on-the-fly  :)
          2. On each migrated server (which now has pfSense LAN IP as the gateway) add static route/s pointing to the various subnet/s that are reached through the VPN links on the FreeBSD router, with the gateway for those routes 10.0.2.1
          3. Move the VPNs over from the FreeBSD router to the pfSense router - then you will reach the migrated servers and not the old ones  :D

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • S
            SysIT
            last edited by

            Appreciate the response, good to know the cause!

            I will likely then just stick with the moving everything over route over the next 2 weeks, the people who need access to all the server's can RDP into one box and then go over, that will work for now, was just hoping if there was a quick fix i could do that for now.

            ¸,ø¤°`°¤ø,¸© Poor Planning On Your Part Does Not Constitute An Emergency On My Part ©¸,ø¤°`°¤ø,¸
            ¸,ø¤°`°¤ø,¸© The trouble with life is there’s no background music ©¸,ø¤°`°¤ø,¸
            ¸,ø¤°`°¤ø,¸© Life isnt short, you're just dead for too long©¸,ø¤°`°¤ø,¸

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              I think you made a typo in your /24

              New PFSense Firewall  LANIP 10.0.2.254
              LAN IP Range  10.0.0.1/24  - same range

              10.0.2 is not the same network as 10.0.0 with a /24 – do you have say a /8 or a say a /22 which would put 10.0.0 on the same network as 10.0.2 ?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.