2 PfSense Firewalls with direct site to site link



  • I hope someone can help me here.

    I have two sites, both running PfSense 2.1.5. They each have 2 WANs and 1 LAN. Previously, the two units were linked via iPSec VPN.

    We now have a 5GHz wireless link between these two sites which is to replace the VPN. I have disabled the VPN and setup the wireless units. Everything works except the routing from the LAN to the 5GHz link. The 5GHz APs are configured in bridge mode.

    Configuration diagram is attached.

    If I SSH into PfSense at either end, I can ping and traceroute to everything in the 5GHz subnet [both firewalls and both access points], likewise from the LAN on either site. But I cannot ping from the LAN on site A to the LAN on site B

    I have assigned a static route at each end with the remote LAN subnet and the gateway set to the REMOTE pfsense gateway on the 5GHz network. This is where I first started to get communication between the LAN and the 5GHz subnet.

    I was thinking this is just an interface rule problem, however, I have not been able to figure out what I need to set in order to have traffic flow. I have set allow all rules on the 5GHz interfaces on each firewall, and I have tried a specific rule for LAN to access the 5GHz subnet. But nothing seems to work.

    Can anyone shed any light on where I might be going wrong here?

    Matthew

    ![Wireless Link Diagram.jpg](/public/imported_attachments/1/Wireless Link Diagram.jpg)
    ![Wireless Link Diagram.jpg_thumb](/public/imported_attachments/1/Wireless Link Diagram.jpg_thumb)


  • Netgate

    Are there any other WAN considerations we need to know about?

    Like where is the internet connectivity or is this only a private network?

    What traffic do you want to block?

    Be sure that the rules are on the proper interface. Imagine sitting inside of the pfSense box. Sure, it's a little crowded in there, but this can help. Imagine packets flying in from the different networks that the pfSense box ties together. The rules will be placed on the interface they entered from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still enter on the LAN. If a packet is coming from the Internet to the pfSense box, the rule goes on the WAN interface.

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting



  • Yes there are WAN links. Both firewalls have dual ADSL2 links. The WAN side of things is no issue, and previously the site to site link was handled via iPSEC across one of the WAN links. I have disabled the iPSEC so that I can implement this link.


  • Netgate

    Then you will need to create gateways for the remote pfsense WAN ports and static routes for the remote LAN networks to those gateways.



  • From the OP, I think he already has the gateways and static routes set.
    Since you have multi-WAN setups, then I expect you will have some failover or load-alancing rules that put your LAN traffic into gateway groups to feed it out the WANs in the required ways.
    The traffic across the 5GHz link needs to NOT be matched by those rules.

    Try putting a rule at the top of LAN1, pass protocol all, source LAN1net, destination LAN2net.
    And a rule at the top of LAN2, pass protocol all, source LAN2net, destination LAN1net.

    Then that traffic will be passed by pf and handed to the ordinary routing, which will use the static route/s to get it to the right place.



  • Sorry for the delay and thanks for the replys. I can only work on this at certain times of low use.

    I have discovered _that simply disabling the IPSEC VPN tunnels between these two sites is not enough to have them not interfere with this new setup, so instead, this time I altered the remote network in the tunnel settings at each end.

    This has made a huge difference. I can now ping between the two sites via the wireless link. I have also created the rules in the LAN interface for the remote network to the local at both ends.

    However, I have a new issue. I can ping from each site to the remote server [10.20.x.1] without issue. But I cannot ping any other machine on the remote network. I have specified nothing in the firewall that specifies the server IPs.
    Do the static routes need any 'learning' time? Or is there something else at play here._



  • OK. I think I have it working.

    I have done the following for anyone else who needs to get this to work.

    1. Create a gateway of the remote PfSense box on each site [ie. Site A's gateway is Site B PfSense and vice versa]
    2. Create a static route on each PfSense box for the local subnet, set it to the gateway created in step 1.
    3. In the firewall rules, create rules on the interface that links the two sites [ie. This is NOT the LAN interface I would generally think, I have a dedicated interfaces for the site to site link]  Two rules need to be created:
    a. A rule for incoming traffic from the remote subnet as the source and the local subnet as the destination, with a default setting for the gateway [important]
    b. A rule for outgoing traffic from the local subnet as the source  and the remote subnet as the destination, with a gateway setting which is set to the one created in step 1.

    I also have an allow all sources to the site to site interface rule here on both which I did not remove. I am not sure if this is required for site to site communication, but I image I would lose access to manage the wireless units if I deleted this.


  • Netgate

    @mcit:

    I also have an allow all sources to the site to site interface rule here on both which I did not remove. I am not sure if this is required for site to site communication, but I image I would lose access to manage the wireless units if I deleted this.

    You need rules that match any traffic you want to allow INTO any interface.

    For traffic originating on Site A's LAN to SITE B's LAN, those interfaces are:

    SITE A LAN
    SITE B 5GHz

    For traffic originating on SITE B's LAN to SITE A's LAN, those interfaces are:

    SITE B LAN
    SITE A 5GHz

    If you want to be able to manage your radios from SITE A LAN, you would need a rule that passes, at least, traffic from 10.20.3.0/24 to 10.20.5.0/24 on SITE A LAN.  You probably want to keep similar rules on both LAN interfaces.