You asked this already and it has been responded to. Dont double post! 20. mai 2014 17:54 skrev "Michael Schuh" <michael.sc...@gmail.com> følgende:
> 2014-05-20 11:31 GMT+02:00 Faisal Gillani <faisal.gill...@akesp.org>: > >> Hello all >> >> I am using Pfsense with everything, Pfsense based multi homed firewall >> and pfSense based routers >> >> My Firewall is a has three internet connection which clients see as one >> when accessing internet >> >> My office recently purchased a MPLS VPN solution to connect one of our >> branch together with our main head office. >> >> MPLS VPN Settings >> >> Main site >> Ip 10.152.9.130 >> Subnet 255.255.255.252 >> Gateway 10..152.9.129 >> >> branch site >> Ip 10.152.9.117 >> Subnet 255.255.255.252 >> Gateway 10..152.9.116 >> >> >> I choose Pfsense to do simple routing at both head office and branch >> office. >> >> The network configuration is as below. >> >> Main Site >> >> Subnet 172.16.0.0/21 >> >> Pfsense based internet firewall ip = >> 172.16.1.17 >> Pfsense based router (with all nat and packet filtering disabled) = >> 172.16.0.18 >> >> • The router is configured to static route to branch office subnet >> by using MPLS provider router address. >> • The router routes all internet based requests to 172.16.1.17 as >> it is set as its default gateway. >> • All same subnet users are setup to use 172.16.0.18 as their >> default gateway everything is working for them local resource access as >> well as internet. >> >> Branch Site >> >> Subnet 172.16.11.0/24 >> >> Pfsense based router (with all nat and packet filtering disabled) = >> 172.16.11.18 >> >> • The router is configured to static route to branch office subnet >> by using MPLS provider router address. >> • For internet I found this solution on internet to route all >> internet traffic to the firewall on the main office which is 172.16.1.17 >> • To achieve this is did these commands as the web GUI wasn’t >> accepting a none local subnet address >> >> # route add -net 172.16.1.17 -iface em0 >> # route add default 172.16.1.17 >> >> Now on branch offices computers can access all the resources on the main >> office branch, however they can’t access internet. >> >> Anyone know what am I doing wrong ? >> >> >> >> Syed Faisal Gillani >> Please consider the environment before printing this e-mail >> >> _______________________________________________ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list > > > > Now on branch offices computers can access all the resources on the main > office branch, however they can’t access internet. > > which seems logically correct to me. > > if i understood correctly, how your setup is: > in short: > your default gateways are incorrect, therfore no internet access. > > point your default gateways to the main internet connection and NOT to the > MPLS-Gateways. > NAT enabled. > > to get the Net-to-Net (172.16.11.0/24 <-> 172.16.0.0/21) working: > just create a IPSEC VPN-Tunnel from each pfsense box to the other one > through the mpls routing/switching, which (the mpls) is not really > necessary if you have static WAN-Addresses, but can help to have a stable > vpn-tunnel. > i.e. > IF-MPLS-Address Main Site connects to IF-MPLS-Address-Branch site, et vice > versa. > so an IPSEC-VPN between those two endpoints should do it. > the mpls gateways do not know anything about any 172.16.0.0 net. > not their job. :8~) > > i _think_ the wish is to have the clients communicating with each other > like > 172.16.4.5 can talk freely to 172.16.11.45 et vice versa. > > so create each VPN-Side with the access to the certain internal network. > no NAT necessary. > > further reading for understanding recommended: > Richard W. Stevens TCP/IP and/or > Addison Wesley: TCP/IP and ONC/NFS > > > hth > > > = = = http://michael-schuh.net/ = = = > Projektmanagement - IT-Consulting - Professional Services IT > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > = = = Ust-ID: DE251072318 = = = > > > > _______________________________________________ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list >
_______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list