A Left-Center-Right network setup tutorial…



  • So, here's the (sample) situation: You have three locations.

    Location A can see B.
    Location B can see C.
    But for whatever reason, A cannot route to C.

    In my scenario, local/county government stupidity is at work.

    There is no logical reason why A should not be able to connect to services on C, but, well, bureaucracy. If it were up to me, I would set up a VPN tunnel between A and C and call it a day.

    So, in the above situation, you need A to see C. I figured it had to be possible to get the routing right, all you need is the next hop until the packets hop down the bunny trail. But being that this is an IPSec VPN, it's not as simple as static routes. So, this is my tutorial on how I got it to work. I hope it benefits others like myself.

    I'm calling this a "Left <-> Center <-> Right" VPN Setup

    Prerequisites:

    • We are calling each firewall in this equation by their code name: Left, Center, and Right.

    • Left is 192.168.1.1 on a 192.168.1.0/24 network

    • Center is 192.168.128.1 on a 192.168.128.0/24 network

    • Right is 192.168.254.1 on a 192.168.254.0/24 network

    • All of the network identities above are fictitious. Their names were changed to protect the innocent. So no one give me grief over the networks and how you would have done it. They are example networks, nothing more.  :)

    • You have a working VPN tunnel between the Left and Center Networks, with an "AllowAnyAnyAny" IPSec rule set on each end. As in, Allow Traffic, Any Type, Any Protocol, Any Source, Any Destination. For those of you that just got twitchy, you can turn this rule off later after you've locked it all down and put your tinfoil hat back on.

    • You have a working VPN tunnel between the Right and Center Networks, with an "AllowAnyAnyAny" IPSec rule set on each end.

    • You can ping from Left to Center, and from Right to Center.

    Procedure:

    • Go to the Left Firewall.

      • Under VPN, IPSec, Expand the Phase 1 for the Center VPN so you can see the Phase 2 Entries.

      • To the far right of the existing Phase 2 entry, click the Plus sign. This duplicates it.

      • For the local network, leave it set to LAN Network.

      • For the remote network, set it to the Right Network Subnet, 192.168.254.0/24.

      • Save the Phase 2.

      • Apply Your Changes.

      • Click Ok.

    • Go to the Right Firewall.

      • Under VPN, IPSec, Expand the Phase 1 for the Center VPN so you can see the Phase 2 Entries.

      • To the far right of the existing Phase 2 entry, click the Plus sign. This duplicates it.

      • For the local network, leave it set to LAN Network.

      • For the remote network, set it to the Left Network Subnet, 192.168.1.0/24.

      • Save the Phase 2.

      • Apply Your Changes.

      • Click Ok.

    • Go to the Center Firewall. Lots more to do here than on the other two.

      • Under VPN, IPSec, Expand the Phase 1 for the Left VPN so you can see the Phase 2 Entries.

      • To the far right of the existing Phase 2 entry, click the Plus sign. This duplicates it.

      • For the local network, set it to Right Network Subnet, 192.168.254.0/24.

      • For the remote network, set it to the Left Network Subnet, 192.168.1.0/24.

      • Save the Phase 2.

      • Under IPSec, Expand the Phase 1 for the Right VPN so you can see the Phase 2 Entries.

      • To the far right of the existing Phase 2 entry, click the Plus sign. This duplicates it.

      • For the local network, set it to Left Network Subnet, 192.168.1.0/24.

      • For the remote network, set it to the Right Network Subnet, 192.168.254.0/24.

      • Save the Phase 2.

      • Apply Your Changes.

      • Click Ok.

      • At this point you may be thinking "That's it, that should work!" But nope! You need one more piece of the puzzle.

      • Go to Firewall, Rules, IPSec.

      • Create a new rule: Pass, IPSec, IPv4, Any Proto, Source=LeftNet(192.168.1.0/24), Dest=RightNet(192.168.254.0/24), Give it a Description, like "LeftNet to RightNet". Log the traffic if you like, but turn off after testing. Save.

      • Move the rule to the top of the stack by checking the box next to it and clicking on the hand (left arrow) icon to the right of the top rule.

      • Duplicate the rule you just created by clicking the Plus sign to the right of it.

      • Reverse the networks, so Source=RightNet(192.168.254.0/24), Dest=LeftNet(192.168.1.0/24). Give it a Description, like "RightNet to LeftNet". Log the traffic if you like, but turn off after testing. Save.

      • Apply Your Changes.

      • Click Ok.

    • Go to a workstation on either the Left network or the Right network. Ping something on the opposite network. You should get Replies.

    • Try something "real", like RDP into a server or workstation the opposite network. This should work as well.

    Possible Issues:

    • Today when I got this working, I started seeing packets in the log indicating the vast majority of the packets were passing with success, but a minority of the packets were still being blocked by the firewall. These were packets marked as TCP:RA and/or TCP:S. I tried clicking the Easy Rule button and modifying the rule to allow more traffic, but these packets were still being blocked. I google around a bit and discover some pfSense posts from years past where they state some hibbitysmack about how these packets are blocked by all stateful firewalls and they should not be causing any problems, blah, blah, blah. And yet… when I went into the workstation on the Left network and manually set a static, persistent route to the IP address on the Right network, all of my problems disappear. No weird entries and the (crappy, terrible county provided) software worked. So, Your Mileage May Vary, and you got what you paid for in this free tutorial.

    • In full disclosure fashion, I'm also doing this where it's VPN Site A to VPN Site B to County-Provided-Cisco-Turd-Router-with-a-Site-B-Local-IP-Address. It works, but the static persistent route thing on the Windows stations at Site-B makes all the difference. I have no idea why this is or what pfSense does to the packets at Site-B between the workstation, the default gateway (pfSense) and the County Router, but… now you know. Truthfully I just added the persistent route add statement to the login script for the workstations on the domain.

    Hope this Helps someone along the way. :-)



  • Hello, just one word: brilliant!

    I followed your instructions and everything worked flawlessly :)

    Thank you.
    Nicolas



  • @nikolaii:

    Hello, just one word: brilliant!

    I followed your instructions and everything worked flawlessly :)

    Thank you.
    Nicolas

    Cool! Glad to hear it worked for you! :-)