@fuznutz04 said in Site to Site VPN - not passing audio traffic properly:

This one was interesting to get to the bottom of. @JaredBusch With the VPN tunnel enabled, the phone system was trying to send RTP to the phone on the internal IP. There is a setting in FreePBX on the extension level called "RTP Symmetric". Normally, this is set to yes. I changed it to no and the audio started flowing normally. However, I didn't like this solution. So, as a test, (and what I should have done from the beginning) I blocked all outbound traffic FROM my phone system, to any local network. (10.x, 172.16, 192.168, etc) This immediately solved the issue. I did not yet do a packet capture AFTER the fact to confirm, but I am assuming that blocking the PBX's ability to get to an internal private IP, forces the system to renegotiate and send the RTP to the correct public IP.

Definitely an odd issue.

nice you found a solution - I'm curious why it happens in the first place? Are some of the original phone's packet data still containing the original IP? And if so, why?
Are you using encrypted RTP?

@mukky said in ZeroTier Site-To-Site:

Bro @dafyre,
You make my life much easier...
Thank you !!

After soo much hassle to achieved opnsense site2site, i found this posting solve the problems with 2 essential modification as follows:

Two essential step:

Enable IP_Forward:
in free BSD we have to edit /etc/defaults/rc.conf
change from gateway_enable="NO" to gateway_enable="YES"

Set up the Site Routes at the Routers for Site A and Site B
it has configured and implemented in opnsense router section

@dafyre, since no body cover this on opnsense, I think it will wonderful, if you could made this video on youtube as well

Good Luck !!

I was struggeling for a month to figure it out, not much info on internet nor tutorial regarding zerotier for site2site. Eventually i succeed to make it work.

The key point to setting on opnsense are:

you have to install zerotier plugin

you have to make your own network on your zerotier account

you have to enable zerotier on your opnsense and adding zerotier connection in it to join your own network.

you have to assign network for zerotier - dont forget to "check" Enable Interface and Prevent interface removal. Also you have to put static ip with is the same ip address as shown on your zerotier joined network.

you have to put firewall rule for zerotier to accept any incoming traffic

you have to put firewall rule for WAN/ISP to accept any incoming traffic from specific source "Ztier.net"

in some cases it requires booting/restart your opnsense to take effect.

setting above will allow any incoming connection from any remote device via zerotier towards your opnsense ip address. (Ref: opnsense ip address = ip address of WAN/ISP). In result, you can remote access your opnsense via laptop from another city / ISP (laptop must have zerotier connection and joint the same network too). On your laptop you will be able to access your opnsense by its ip address assigned by zerotier.

in the case, for example, there is a NAS behind the opnsense that you want to access remotely,....... then you only have to open your zerotier account and put a route rule there

assumed:

your NAS local ip address: 192.168.5.10

NAS local Network on opnsense: LAN-1

your opnsense ip address assigned by Zerotier: 10.188.22.10

then you have to put firewall rule for LAN-1 to accept any incoming traffic from specific source "Ztier.net"

then you have to add "route" on your zerotier account dashboard:

192.168.5.10/32 via 10.188.22.10

in result from remote laptop you can remote access:

a. opnsense by pointing to 10.188.22.10

b. NAS by pointing to 192.168.5.10

(laptop must have zerotier connection and joint the same network too)

Thats it, good luck !

The problem is this:
On the Meraki side, let's say you have 5 (this can be any number greater than 1) firewalls.
In Meraki speak, if all 5 are in the same "organization", S2S is a few clicks & AutoVPN takes over. No pre-shared secret, no keys.
You turn on VPN, say yes to whatever subnets you want in the vpn & save.

On the ER side, I have to create 5 peers to connect to the Meraki side.
Meraki will only expose one connection for a 3rd party S2S & therein lies the problem.
Not all the tunnels connect & there's no good way to fix it.

@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@dashrender said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

Thanks to @Dashrender for the assist. It looks like the problem was authentication. I authenticated to the VPN using domain\username rather than using the User Principal Name. Doing the latter allowed me to reach DFS shares.

Woops, that's crazy but definitely there is an issue with DNS

huh?

If the user cannot login with UPN there is an issue with DNS.... As you should be able to use domain.com.

User can login with UPN. They were using the old domain\username method rather than UPN, which apparently caused problems with accessing stuff via the DFS namespace.

@JaredBusch

Good to know. I'm planning on starting this later this week. If I can get this working, I'm going to replace a PFSense firewall with an ERX or lite. Right now, this is the only thing that I dont have setup for ERX yet.