Multiple Site Meshing

  • Morning all,

    Are there any recommended configurations for site meshing with Pf?

    Under testing at the moment:
    3x Sites
    Core 1
    Branch 1
    Branch 2

    • Branch 1 & 2 are OpenVPN Clients of Core 1.
    • Branch 1 is also a client of Branch 2.
    • All three sites have a different subnet and these differences are reflected in the OpenVPN settings at server/core, and in the DNS records.
    • Firewall rules between the sites are set explicitly for services required, all appears to work fine.

    Is this fine in this configuration?

    Thanks in advance.

  • Looks good. As you have done, I put the server end at the most main office and client at the remote office, because:
    a) Main offices are in bigger towns, where the ISP is likely to actually allow incoming connections to services, and is likely to actually give me a public IP (and a static IP if I want it), and if a dynamic IP it might change less often.
    b) The client end will find its way out, sourced from an ephemeral port similar to any other user - so it works fine in remote places where the ISP might not be so reliable at giving an actual public IP, or actually allowing incoming connections.
    c) I don't have to rely on remote offices with dynamic IPs having actually successfully updated their dynamic DNS - since there is no server there to have to connect to.

  • Excellent then.
    At the moment the new link has been up for 2 days, want to give it until Friday before enabling the site links in AD too.

    Gotta love Pf at times. :D

  • If your site-to-site links are using failover between multiple WAN links, then you will also want to apply this change to a 2.1 system:
    which I mentioned in this thread:,73071.msg399034.html#msg399034

    This fix is in 2.1.1-prerelease, so it will be fixed for real in 2.1.1

  • Thanks for the info.
    We arnt using multi-WAN link via PFSence, we another method for multi-WAN.
    The three hosts are on 2.0.1 rather than 2.1 as a test system i did an upgrade to 2.1 on ended up breaking half the packages and needed a reinstall! :(
    2.0.1 is working for now, "if it aint broke dont fix it" :p

Log in to reply