On 11/10/12 7:24 PM, Jim Pingle wrote:
On 11/10/2012 7:11 AM, Erik Augustsson wrote:
Hello
Today I have servers at two different locations, and different
providers. Location A and B. I also have a public PI network x.x.x.0/24
that's routed to location A. I want this network routed to location B,
but the owners of location B is charging extreme for the routing.
Location A owners, (really nice guys) is telling me that they can do
this with some Mikronik routers and L2TP. They also say it might be
possible with pfsense, but they don't use that today.
At location B, I have a y.y.y.y/29 network, and pfsense installed.
So my question is. If I install pfsense at location A. Can I use that to
tunnel/route my public PI network to my servers at location B?
You can do it on pfSense 2.1 with OpenVPN - but only on 2.1.
On 2.1, when you assign an OpenVPN interface and you add a firewall rule
to its tab, those rules get reply-to added to send traffic back to the
OpenVPN connection's gateway.
That reply-to function is required for the traffic to return via the
same path it entered.
The same *might* work on 2.0 with GIF or GRE, assigned, with a gateway
added, for similar reasons. But if you want to carry it across a VPN,
OpenVPN is your best bet.
Now that I think of it, IPsec with a P2 of <public subnet> to 0.0.0.0/0
might work, but I wouldn't hold my breath on that one. Might be worth a
try though.
Jim
Thank you so much for helping out.
I tried a thing close to this for a customer some months ago, with
OpenVPN and pfsense 2.0.1.
I forwarded internet traffic from a linux box over openvpn. The
customers application (that was hit by this traffic) needed the true
source ip in the requestes. It worked as expected for getting traffic
in, but the return traffic went out on primary WAN, not the OpenVPN
tunnel. The return traffic was never hit by any routing/FW rules I
setup, but a tcpdump on the pfsense master told me it went out on WAN.
The information you give on 2.1, is very exiting. That's the way I
thought it worked from the start, but learned the hard way it's not :-)
I will do some pfsense 2.1 testing at location B..
Erik
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
