Not able to use point to point WAN link on pfSense with no NAT



  • I am trying to use a point to point WAN link on pfSense with routing but no NAT. I am able to reach Internet but not local net. Here is the setup:

    Site A (Head office) has:

    • pfSense firewall with multi-wan loadbalancing
    • Two internet leased lines
    • Active Directory
    • NAS for user shares & other servers
    • subnet: 192.168.1.0/24

    Site B (Branch office) has:

    • Cisco RV042 multiwan router
    • Single 8mbps broadband link
    • Windows Users in branch need to reach AD and NAS in Site A to work & access Internet through SiteA.
    • subnet: 192.168.2.0/24

    A point to point fibre link (100mbps) is laid from SiteB to siteA by local SP. (not MPLS & there is no IP).

    With the help of this article, I successfully configured a site to site ipsec VPN with Site A as default Internet gateway. [ https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel ]

    Our original plan is to use point to point fibre as primary WAN link and VPN as backup.

    Now I have terminated the fibre on OPT1 interface on pfsense. Used the following IP:

    SiteA:
    OPT1 IP:10.20.20.1/30
    Gateway:10.20.20.2
    Added static route: Destination:192.168.2.0/24 –> use gateway 10.20.20.1

    SiteB:
    WAN2 IP:10.20.20.1/30
    Gateway:10.20.20.1
    Added static route: Destination:192.168.1.0/24 --> use gateway 10.20.20.2

    Created firewall rules in OPT1 to allow all networks. Enabled manual outbound NAT, created NAT rules for site A subnet to NAT with WAN IPs. Created a NAT rule for OPT1 interface and configured 'Do not nat'.

    Despite of all these, I am not able to reach Site A lan net from Site B. Changed the Cisco device to  'Router' mode from Gateway, but didn't help (ipsec VPN stops working too). Enabled RIPv2 at both devices and it learnt all routes but no traffic.

    Both devices can ping each other gateways over fibre. If I tracert at Site B to an Site A IP, the packet drops at Site B gateway itself (192.168.2.1). Strangely I am able to ping/trace very few IPs from Site A to Site B.

    I have tried different other combinations and checked logs for drops at both devices but no luck. I am not able to find if it's a routing issue or NAT. Could someone please help me where & what to look for?
    Thanks in advance.



  • Though not completely solved, one problem I found is the Cisco RV042 device was NATting all traffic even if it's in 'Router' mode. It just disables the firewall and does not stop NATTing when in Router mode.
    I replaced the Cisco device with a pfSense on a Intel x86 box and starting from scratch. But still I am having trouble setting up point to point direct link between these two pfsense boxes.

    What routes should I have to make all traffic (including Internet) from Unit2 to go to Unit1 over this link?

    Have disabled automatic outbound NAT and created manual rules. This is the screengrab:




  • Could someone please help?



  • This is working now.
    I set up a static routes at both ends and also configured gateway grouping between VPN and point to point link. I believe some changes in pfsense like advanced gateway settings for rules and routes don't get active until a reboot is done. This caused me a lot of a hardship earlier.
    Still there are some small glitches:
    1. I have fibre as default link in the branch firewall, so firewall (only this) has no Internet connection (so updates for firmware, bogons, etc are not automatic).
    2. Sometimes even though the link comes back up, the firewall doesn't switch back to fibre link after using the backup VPN.


Log in to reply