Route not being injected in site-to-site vpn
Hi,
I couldn't find this specific topic; if there is one, please let me know.
My situation is that I have 2 Firewalla's with a site-to-site vpn connection. All working well. See the information below.
# Site A
- Firewalla Gold
- LAN 10.10.1.0/24
- WireGuard 10.10.2.0/24
# Site B
- Firewalla Purple
- LAN 10.20.1/024
- WireGuard 10.20.2.0/24
Now on site A there is a network 172.16.1.0/24 which is reachable by a static route. So all devices in that LAN are able to connnect, all fine.
On the Firewall Purple I add the following as static route:
- IP address range: 172.16.1.0/24
- On Device Firewalla 1 - Gold- Site to Site (this is the name if the Firewalla on site A and it's using WireGuard)
- Interface VPN, Firewalla 1 - Gold (this is the name if the Firewalla on site A and it's using WireGuard)
Route preference Static
I want that the systems in LAN of site B are able to reach the network 172.16.1.0/24. A trace from a system in the LAN tells me it goes to the default router, to the Internet. And not to the vpn. I disconnected the vpn connection but it didn't work out.
What I didn't do yet, is to log into SSH on the Firewall Purple and check if the route is there.
What am I doing wrong?
Many thanks for your reply.
-
From traditional vpn, the Firewalla advertises all its interfaces, so it is then strange that the static route is is not distributed via vpn toward the peer. In this case, site A is the server and site B is the client. Site B doesn't receive the static route. Placing manual a static route on site B doesn't work. What do you suggest?
-
As a test, when changing the vpn client on side B, and and using the option 'VPN' for Internet, all Internet traffic goes from site B to side A. So it was interesting to see that traffic for 172.16.1.0/24 also went to the first hop of WireGuard and then it suddenly stopped. I tested this via a local system on site B. Maybe useful information?
-
Amazing! Now I can ping the 172.16.1.0/24 via a local system in site B. It took some time.
Then I also removed the static route from site B which was pointing to the WireGuard next-hop toward site A. So this also worked.
When using direct Internet connection, then the 172.16.1.0/24 is not reachable from site B. -
@Galied Nanhekhan, yeah. That's expected. Purple knows Gold's local networks but is not aware that 172.16.1.0/24 is also on side A (Gold). Non-side A LAN subnets will be marked as an external resource. When you access it, the flow will be treated as internet traffic. You need to set the 'Internet' option to VPN.
-
Thanks for your reply.
Setting up the internet option is no solution since local Internet break-out will not work anymore. I don't want to reroute Internet traffic.
Can you confirm that static routes are not redistributed over vpn? Is there any plans in the future to make redistribution work?
Right now I really have a showstopper with my Firewalla for accessing remote networks.
Please sign in to leave a comment.
Comments
11 comments