Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple Site Meshing

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boomam
      last edited by

      Morning all,

      Are there any recommended configurations for site meshing with Pf?

      Under testing at the moment:
      3x Sites
      Core 1
      Branch 1
      Branch 2

      • Branch 1 & 2 are OpenVPN Clients of Core 1.
      • Branch 1 is also a client of Branch 2.
      • All three sites have a different subnet and these differences are reflected in the OpenVPN settings at server/core, and in the DNS records.
      • Firewall rules between the sites are set explicitly for services required, all appears to work fine.

      Is this fine in this configuration?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Looks good. As you have done, I put the server end at the most main office and client at the remote office, because:
        a) Main offices are in bigger towns, where the ISP is likely to actually allow incoming connections to services, and is likely to actually give me a public IP (and a static IP if I want it), and if a dynamic IP it might change less often.
        b) The client end will find its way out, sourced from an ephemeral port similar to any other user - so it works fine in remote places where the ISP might not be so reliable at giving an actual public IP, or actually allowing incoming connections.
        c) I don't have to rely on remote offices with dynamic IPs having actually successfully updated their dynamic DNS - since there is no server there to have to connect to.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • B
          boomam
          last edited by

          Excellent then.
          At the moment the new link has been up for 2 days, want to give it until Friday before enabling the site links in AD too.

          Gotta love Pf at times. :D

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            If your site-to-site links are using failover between multiple WAN links, then you will also want to apply this change to a 2.1 system: https://github.com/pfsense/pfsense/commit/4bf23d320bc96eeabf2daf9024583f2cc5a6662a
            which I mentioned in this thread: https://forum.pfsense.org/index.php/topic,73071.msg399034.html#msg399034

            This fix is in 2.1.1-prerelease, so it will be fixed for real in 2.1.1

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • B
              boomam
              last edited by

              Thanks for the info.
              We arnt using multi-WAN link via PFSence, we another method for multi-WAN.
              The three hosts are on 2.0.1 rather than 2.1 as a test system i did an upgrade to 2.1 on ended up breaking half the packages and needed a reinstall! :(
              2.0.1 is working for now, "if it aint broke dont fix it" :p

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.