4. Multiple Site Meshing

Multiple Site Meshing

  • B

    Morning all,

    Are there any recommended configurations for site meshing with Pf?

    Under testing at the moment:
    3x Sites
    Core 1
    Branch 1
    Branch 2

    • Branch 1 & 2 are OpenVPN Clients of Core 1.
    • Branch 1 is also a client of Branch 2.
    • All three sites have a different subnet and these differences are reflected in the OpenVPN settings at server/core, and in the DNS records.
    • Firewall rules between the sites are set explicitly for services required, all appears to work fine.

    Is this fine in this configuration?

    Thanks in advance.

    0
  • P

    Looks good. As you have done, I put the server end at the most main office and client at the remote office, because:
    a) Main offices are in bigger towns, where the ISP is likely to actually allow incoming connections to services, and is likely to actually give me a public IP (and a static IP if I want it), and if a dynamic IP it might change less often.
    b) The client end will find its way out, sourced from an ephemeral port similar to any other user - so it works fine in remote places where the ISP might not be so reliable at giving an actual public IP, or actually allowing incoming connections.
    c) I don't have to rely on remote offices with dynamic IPs having actually successfully updated their dynamic DNS - since there is no server there to have to connect to.

    0
  • B

    Excellent then.
    At the moment the new link has been up for 2 days, want to give it until Friday before enabling the site links in AD too.

    Gotta love Pf at times. :D

    0
  • P

    If your site-to-site links are using failover between multiple WAN links, then you will also want to apply this change to a 2.1 system: https://github.com/pfsense/pfsense/commit/4bf23d320bc96eeabf2daf9024583f2cc5a6662a
    which I mentioned in this thread: https://forum.pfsense.org/index.php/topic,73071.msg399034.html#msg399034

    This fix is in 2.1.1-prerelease, so it will be fixed for real in 2.1.1

    0
  • B

    Thanks for the info.
    We arnt using multi-WAN link via PFSence, we another method for multi-WAN.
    The three hosts are on 2.0.1 rather than 2.1 as a test system i did an upgrade to 2.1 on ended up breaking half the packages and needed a reinstall! :(
    2.0.1 is working for now, "if it aint broke dont fix it" :p

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy