So I have site A and will say that Network IP is 192.168.1.0/24 for the LAN. Then also at site A I have a VLAN of the network address of 192.168.2.0/29. I then have site B with a network IP of 192.168.10.0/24 for the LAN.
Right now I am able to ping from site A LAN 192.168.1.0/24 to site B LAN 192.168.10.0/29. But when I go to try to ping from the VLAN at site A to site B LAN, I am unable to do so. I can’t access any of the network resources. The VLAN at site A can ping out to 1.1.1.1 so it does have internet access, but it can’t communicate over the site-to-site VPN.
So I would like to be able to ping/access network resources from site A VLAN 192.168.2.0/29 to site B LAN 192.168.10.0/24. I would also like to restrict access so for example I would only allow site A VLAN to access site B the server that sits on 192.168.10.2 and nothing else.
I have my VLAN set up on the same interface as my LAN on site A. So eth2 is LAN and eth2.2 is VLAN. I have some firewall rules set up to block all the RFC1918 ranges. I allow certain access from VLAN to my LAN for servers and that all works fine.
Would someone be willing to help me understand if this is possible and if so what do I need to look for to configure this right? Both sites have an Edge Router Pro at each location both running this firmware: EdgeRouter v2.0.9-hotfix.4.
Also on my VPN config at site A, I have the subnets as follows:
Local: 192.168.1.0/24
Remote: 192.168.10.0/24
Then at site B, it would be reversed. Not sure if I need to add the VLAN subnet, which I have tried to do, but it won’t save for some reason. Or if this is a routing issue, but not sure how I would configure the route to make it work. Or maybe a firewall rule? I am not sure. Any guidance would help.
Thank you.
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
To pass traffic over the IPSec tunnel between sites, you have to include all the desired subnets in your phase2 selectors. So, at site A, your local networks need to include both 192.168.1.0/24 and 192.168.2.0/29. At site B, both of these subnets should be listed as remote networks.
You also have to be certain the corresponding firewall policies allow traffic to and from all included subnets. You present policies likely only include 192.168.1.0/24 and 192.168.10.0/24. You will need to add 192.168.2.0/29 to the existing firewall policies where appropriate, or craft a new policy permitting this subnet to and from each location, as needed.
Okay got it figured out! That helped a lot, thank you!
I have added the IPSec phase2 selectors to both sites. Still unable to ping. What would the firewall rules look like?
Excellent. Glad you got it sorted!
Unfortunately, I don’t know how to configure firewall rules on a UniFi gateway, which I assume you are using since this is the r/Ubiquiti subreddit, but generally speaking they should allow traffic from Site A’s subnets and interface to Site B’s without NAT and vice versa.