2014-05-20 11:31 GMT+02:00 Faisal Gillani <[email protected]>:
> Hello all > > I am using Pfsense with everything, Pfsense based multi homed firewall and > pfSense based routers > > My Firewall is a has three internet connection which clients see as one > when accessing internet > > My office recently purchased a MPLS VPN solution to connect one of our > branch together with our main head office. > > MPLS VPN Settings > > Main site > Ip 10.152.9.130 > Subnet 255.255.255.252 > Gateway 10..152.9.129 > > branch site > Ip 10.152.9.117 > Subnet 255.255.255.252 > Gateway 10..152.9.116 > > > I choose Pfsense to do simple routing at both head office and branch > office. > > The network configuration is as below. > > Main Site > > Subnet 172.16.0.0/21 > > Pfsense based internet firewall ip = > 172.16.1.17 > Pfsense based router (with all nat and packet filtering disabled) = > 172.16.0.18 > > • The router is configured to static route to branch office subnet > by using MPLS provider router address. > • The router routes all internet based requests to 172.16.1.17 as it > is set as its default gateway. > • All same subnet users are setup to use 172.16.0.18 as their > default gateway everything is working for them local resource access as > well as internet. > > Branch Site > > Subnet 172.16.11.0/24 > > Pfsense based router (with all nat and packet filtering disabled) = > 172.16.11.18 > > • The router is configured to static route to branch office subnet > by using MPLS provider router address. > • For internet I found this solution on internet to route all > internet traffic to the firewall on the main office which is 172.16.1.17 > • To achieve this is did these commands as the web GUI wasn’t > accepting a none local subnet address > > # route add -net 172.16.1.17 -iface em0 > # route add default 172.16.1.17 > > Now on branch offices computers can access all the resources on the main > office branch, however they can’t access internet. > > Anyone know what am I doing wrong ? > > > > Syed Faisal Gillani > Please consider the environment before printing this e-mail > > _______________________________________________ > List mailing list > [email protected] > https://lists.pfsense.org/mailman/listinfo/list > Now on branch offices computers can access all the resources on the main office branch, however they can’t access internet. which seems logically correct to me. if i understood correctly, how your setup is: in short: your default gateways are incorrect, therfore no internet access. point your default gateways to the main internet connection and NOT to the MPLS-Gateways. NAT enabled. to get the Net-to-Net (172.16.11.0/24 <-> 172.16.0.0/21) working: just create a IPSEC VPN-Tunnel from each pfsense box to the other one through the mpls routing/switching, which (the mpls) is not really necessary if you have static WAN-Addresses, but can help to have a stable vpn-tunnel. i.e. IF-MPLS-Address Main Site connects to IF-MPLS-Address-Branch site, et vice versa. so an IPSEC-VPN between those two endpoints should do it. the mpls gateways do not know anything about any 172.16.0.0 net. not their job. :8~) i _think_ the wish is to have the clients communicating with each other like 172.16.4.5 can talk freely to 172.16.11.45 et vice versa. so create each VPN-Side with the access to the certain internal network. no NAT necessary. further reading for understanding recommended: Richard W. Stevens TCP/IP and/or Addison Wesley: TCP/IP and ONC/NFS hth = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
