Problems directing traffic over our site-to-site VPN

Question

We have two offices connected via Gateway-Gateway VPN

DC1[192.168.0.101]---RV082(A)[192.168.0.1]---[VPN]---RV082(B)[192.168.3.1]---pfSense[192.168.3.100]---DC2[192.168.1.2]

DC2 is able to connect to DC1 just fine using the private IP Address of 192.168.0.101. Of course this works because DC2 sends all traffic to pfSense as it's gateway and PFSense sends traffic to the local RV082B. There is a route because of the VPN.

The problem that we are experiencing is that the branch firewall has no knowledge of the subnet behind pfSense.

Somehow we need to add a route from the branch firewall so that it knows where to send traffic.

We basically just want to be able to ping, RDP, etc to 192.168.1.2 and DC2 being the recipient. Its a challenge now that we have pfSense in the way. Its almost as if we have two firewalls. We don't know what to do because we really installed pfSense just for its captive portal capabilities.

Answer 1

There are several issues here, mixed into one.

1. If DC2 can ping DC1, but not the other way around, then it is likely that the pfSense firewall is doing masquerading for the 192.168.1.0/24 network behind it. This would result in a situation where in the rest of the network the packets originating from DC2 actually look as if they originated on 192.168.3.100. When they get back there, the firewall captures them, performs the de-masquerade and all is good.
   However, this now creates a problem, because to the world outside of 192.168.1.0/24, that network has become unroutable. Since all networks involved are private networks anyway, I would suggest to remove the masquerading and rather just have a firewall and some proper routing.

2. The Rv082(A) has no knowledge of the existence of the 192.168.1.0/24 network, since it is hidden behind the pfSense firewall. So the first thing to do is put a static route into that device telling it to route all traffic for 192.168.1.0/24 into the VPN tunnel.

3. Now make sure that in the pfSense firewall you only have the necessary filters in place and all NATting is disabled.

If for whatever reason you cannot or do not want to remove the masquerading, you will have to create port forwarding rules in the pfSense for every single device and service that must be reachable from the outside. And you need to run split DNS, because the same names now have to resolve to different IP addresses depending on where the client is. This can get very messy very quickly and I would recommend not to do unless there really is no other choice.

If you don't like static routing, you could also enable RIP or OSPF in pfSense (not sure whether it has these features) and in the RV082 devices (if they have it), but then this answers is going to get a whole lot longer, so try static routing first.