PfSense to pfsense over fiber routing
-
Currently both sites are connected via IPSEC Tunnels. Everything is working but now we have a 1GBPS FIBER link from Charter Communications.
What is the best way to get the fiber links setup to route? Another Network card or just adding a vlan to the lan interface such as 225 and assign a address to the interfaces.
SITE A
PFSENSE (2 NICS 1 WAN 1 LAN)
WAN CHARTER ISP
VLAN 1 192.168.0.0/24 (LAN)
VLAN 10 10.10.10.253/24 (DATA)
VLAN 20 10.10.20.253/24 (VOICE)
VLAN 30 10.10.30.253/24 (WIRELESS)
VLAN 40 10.10.40.253/24 (PRINTERS)
VLAN 50 10.10.50.253/24 (GUEST WIRELESS)SITE B
PFSENSE (2 NICS 1 WAN 1 LAN)
WAN CHARTER ISP
VLAN 1 10.33.217.253/24 (LAN)
VLAN 10 10.50.10.253/24 (DATA)
VLAN 20 10.50.20.253/24 (VOICE)
VLAN 30 10.50.30.253/24 (WIRELESS)
VLAN 40 10.50.40.253/24 (PRINTERS)
VLAN 50 10.50.50.253/24 (GUEST WIRELESS)SITE A PFSENSE–----------------------------------CHARTER 1 GBPS FIBER LINK----------------------------------------- SITE B PFSENSE
-
Is that a dark fiber between both sides directly?
-
There is a deticated port for the site to site.
The fiber is though charter they just vlan us off
-
What is the best way to get the fiber links setup to route? Another Network card or just adding a vlan to the lan interface
A VLAN should do it technically, a dedicated NIC has the benefit of not sharing the bandwidth with other VLAN traffic.
Create a transit network on both sides and add routes accordingly. -
Sort of depends on what sort of traffic you're going to be pushing. If more than about 100Mbits sustained I'd probably give it its own interface. If not, VLAN it with other traffic on the LAN interface if you can't afford to spend a dedicated gig-e port on it.
-
I tried setting up IPSec using it own interface and no luck.
Should I put each nic on different subnet at both sites.
Example
Site A
10.1.1.1/24site b
10.2.2.2/24
Should I make the on the same subnet
Site A 10.1.1.1/24
Site B 10.1.1.2/24
-
Dark Fiber? (point to point dedicated link)
Different Interfaces.
Different Subnet.
Routed Package.
Or am I reading wrong and miss something?
-
Do you have layer 3 switches at the remote locations? May not even need pfSense at remote locations….
If as shown you are using dark fiber then.....
-
Sounds like a blank metro-e. Had a couple at the old gig. They would even pass dot1q tags end-to-end.
-
Dark Fiber? (point to point dedicated link) Yes n no. The fiber is connecting 4 buildings total. not 100% out connection they just vlan us off there netowork with 1GB links
Different Interfaces. yes
Different Subnet. yes and vlans
Routed Package.
Or am I reading wrong and miss something?
-
Do you have layer 3 switches at the remote locations? May not even need pfSense at remote locations…. Yes we do
There are 4 sites total site 1 is the main site and site 2 and 3 are remote sites. The switches are trunked to those sites to pass vlans 1,10,20,30,40,50. Site 1 and Site 4 both have pfsense boxes. I just need to connect Site 1 and Site 4 via the fiber. I tried setting up both sites with a vlan of 225 on the trunk ports of the switch and on pfsense but i could not get it to pass traffic.
-
Dark Fiber? (point to point dedicated link) Yes n no. The fiber is connecting 4 buildings total. not 100% out connection they just vlan us off there netowork with 1GB links
Sounds like a blank metro-e
Agree'd
So VLAN- Remember that the total bandwidth of all your VLANs is additive. You will only pass a gig of traffic on an interface that is designed to pass a gig. Not a gig per VLAN. I only mention that because I ran into a guy that probably still doesn't believe me last month. (Lazy ass still probably hasn't done the tests I told him to.)
I should have worded my post a little differently…
Dark Fiber? (point to point dedicated link)Then use Different Interfaces on each side.
Use a Different Subnet. (Or more correctly a subnet that is different from your others but the same on each box on that link.)
Install the Routed Package.
Interface with a VLAN tag on each box. Each on the same subnet 172.16.1.0/30 as an example (Box 1 172.16.1.1) (box 2 172.16.1.2)
Install the routed package. Set it up. Firewall rules on each box that allows all the other subnets access to the subnets on the particular box.2&3 access the internet through the main site? Remember also that that requires double the bandwidth. Site two will only see a portion of the download speed of site ones upload. May not matter but I always mention it.
My 2 penny's anyways... :)
-
So I just replaced the IPSec connection I had for IPSec over the Internet with IP on site 1 10.1.1.1/34 and site 2 10.1.1.2/24 then selected the dedicated interface for it and all tunnels came up. This is in my test environment. Now I will try to do what you said by using a vlan.
Both pfsense boxes have 2 NICS WAN and LAN. LAN has 4 Vlans 10,20,30,40,50. Do you think I should use its own dedicated interface for this site to site link.
I agree with 100% on the gig link that it is for the whole site to site link. Not per vlan. That's only common sense lol.
