Multi Link Site to Site connection

  • Hi

    I Have a Problem with the following setup (Currently lab setup for testing)

             -------------+             MPLS                +-------------+
            |             +--------------------------------->             |
     LAN    |             |                                 |             |    LAN
     +------+   GW-0      |                                 |    GW-1     +------+
            |             +--------------------------------->             |
            |             |             VPN                 |             |
            +-------------+                                 +-------------+

    Two PF sense Boxes Connected directly via two links. GRE tunnels for testing but should be MPLS and Public internet in production, connecting those two subnets directly.

    Both Lines should be used at the same time, utilizing Policy based routing, and switch to the working one in case of a failure. (So far so good)

    We created two Gateways on each side with the remote IPs of the other Box and put both into a gateway group
    Next up we created a single Rule on the LAN interface of each box, telling pfsense to send the Traffic to the gateway-group in order to access the remote LAN subnet.
    src = local LAN subnet
    dst=remote LAN subnet
    Gateway = gatewaygroup

    The Packets get correctly sent and is received on the remote side, but never returned, as the remote pfsense doesn't know where to send the anser packet back (i think).

    GW0 in on lan -> send over to remote GW1 over one of the two links -> G1 in on GRE0(or GRE1) send out to LAN client
    LAN1 client sends back ack, GW1 sees packet incomming on em0 (lan) but never puts it out on any other interface

    We have not configured a system route to the remote subnet as we could only enter one route, and not two  (multiple static routes to the same subnet are not allowed…)

    As i read through the pf.conf man page i found that the route-to option should also have a reply-to on the remote side, to send the traffic back where it came from, but was unable to find such a setting anywhere.

    I also played around with sloppy state, and "Bypass firewall rules for traffic on the same interface" setting, but everything without success.

    Could you help me make this setup possible?

    Side 0

    Side 1

  • No one with any ideas?

  • By default, VPN's don't have NAT, but your MPLS interface might.

    Look at packet captures, firewall logs and states.  If the traffic is entering, but not exiting, it is usually because a NAT rule is expected, but not found.

  • Could be Dual-WAN & policy based routing & Failover the answer to solve this out right?

Log in to reply