VPN Between MX250 and PF Sense Firewall with Multiple subnets

pwallace10
Comes here often

VPN Between MX250 and PF Sense Firewall with Multiple subnets

I am hoping someone can spot something I am missing...

We have a corporate MX installation with a MX250 at the Data Centre, the spokes are a mix of 67's and 100's which all connect via the Dashboard defined VPN's.

 

I have a few small sites for which we did not but MX's, I want to use the PF Sense firewall appliances that we have there. The VPN part is done it was simple enough with the non-meraki VPN config in the dashboard.

 

The issue is that we do not ever terminate our routers onto the local LAN, we always make use of a Isolation LAN, so in the case of the MX250 the LAN address is 10.10.10.9/29 and the PFS box its 10.20.92.2/28

 

IMG_9348.JPGThe VPNs are setup to have the branch LAN subnets as P2 and from the DC I can ping anything on the branch side. 

My problem is the other way, from the branch I can only ping the MX LAN interface. None of the other traffic goes into the PFS firewall IPSEC tunnel.

 

The MX seems to advertise the remote side inward but the PFS box doe snot seem to have a route for anything except what is in the P2 of IPSEC.

 

I see on the PFS I can create a routed VTI but on the MX I cant terminate a routed VTI.

 

Has anyone battled with something like this, what is the work around or what am i missing?

 

There has to be a way to route additional subnets into the PFS box VPN...

 

Peter

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

If the DC can ping anything in the branch then that suggests the VPN is correct.

 

If the branch can only ping the MX LAN interface and nothing else then perhaps PfSense is filtering out that traffic (since ping traffic worked).

 

I would have a look at the firewall and NAT rules on PfSense.

Hi, thanks for the input..

 

Its not NAT or rules, they logs are clear, also a tract to the LAN IP of the MX got into the tunnel, the trace to anything else does not.

 

It has to be that the PFS box is not getting the advertised routes or I need to statically add a route to the other LAN subnets but I cant on PFS.

 Any other ideas ?

ww
Kind of a big deal
Kind of a big deal

Mx does not learn or advertise routes in 3rd party vpn.

 

You have look into pfsense documentation for routes to the lan and for vpn

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels