Working solution: I was finally able to get what I wanted, by manipulating the strongswan config manually, and restart IPSec.

PFSense already has a bypass LAN setting, that can be checked and unchecked in it's IPSec-config, so my solution is just to edit the list of networks that have status as "Shunted".

Can be done via the GUI: Diagnostics -> Command Prompt -> Paste Command -> Execute

(Using sed to replace the relevant lines in the strongswan-config-file and restart ipsec)

sed -i '' -e 's#192.168.250.0/23,fdd0:192:168:250::/64#192.168.250.0/23,[DMZ-IPv4-NET]/29,fdd0:192:168:250::/64,[DMZ-IPv6-NET]/64#g' /var/etc/ipsec/ipsec.conf ipsec restart

If one runs ipsec statusall, then all necessary networks (both LAN-to-LAN, and DMZ-to-LAN) will be listed under "Shunted Connections".

OK, I have figured this out, so I am sharing here in the hopes it helps others. I was doing a few significant things wrong.

A much-simplified Example:

New Site Network:

Netgate/pfSense firewall/router 192.168.1.0/24 LAN Actually VLAN'd, half dozen subnets, etc.

Old Site Network

Cisco Firepower firewall/router 172.31.0.0/16 No VLANs, subnets, etc.

I needed to make the old network play nice with the new one until resources could be fully migrated over time.

I tried defining an interface on the new network that used an IP address from the old network, setting up routing and rules between the two, etc. That ended badly.

Maybe I had it backwards: I tried defining an interface on the old network that used an IP address from the new network, setting up routing and rules between the two, etc. That ended badly.

I tried setting up a new simple, dedicated subnet solely for the purpose of interconnecting the two routers to manage transferring data between the two networks, static routes, etc. That did work.

I call it a transport network, but I bet you networking guys who know what you are doing actually already have a name for it (I'd be curious what that is).

Where making the new network at one geographic site talk to the old network at a different site is concerned, I discovered that adding P2s on the IPSEC S2S tunnels was the trick (and not setting static routes, which I had tried).

Problem solved. Thanks.

Forgot to mention, I also then edited the LAN rule to allow all on lan to all using Wan_Group gateway.

Your not going to be able to subnet it out if its directly connected and your bridging it.

Why is /24 too many for a 1:1? Not like you have to setup each on on its own, you just do a 1:1 for the whole /24

Your x.x.163.0/24 would just map to say 192.168.163/24 where .1 is .1 and .2 is .2 and so on..

The correct solution for using a /24 would be for the /24 to be routed to you..

Duh...Ah geez I wasn't thinking. Thanks again.

@CvH said in Force client to use 2nd gateway:

I do it as soon as possible, tx !

as soon as possible was today 🙈 and it worked
tx a lot !

172.1.1/24 - dude come on!!

NetRange: 172.0.0.0 - 172.15.255.255
Organization: AT&T Corp. (AC-3280)

Don't use address space that is not yours.. Use valid rfc space there 172.16.1/24 would be fine..

So did you turn off NAT, if not to get to stuff behind pfsense you would have to port forward.. If you want to route and firewall only, then make sure you turn off nat.

And yes devices sitting on your 192.168 wan network would need a host route to tell them how to get to the 172 and 10 networks.. If your clients on your wan are talking to some other router as their default, so yeah they would need route to get to behind pfsense.. If you try and route them off your default router your going to run into asymmetrical problem.

The correct solution here is to have your downstream router (pfsense) connected to your upstream via a transit network.

@meaglerick said in Split Tunnel with traffic selection:

It is a daemon (dns_parser) written in C that uses the Netgraph kernel system to filter traffic . And I wrote a small utility that saves and restores the contents of the tables in the database when you reload the rules.

cdd81c1d-410b-46d9-91f5-d7d9c88b6704-image.png

I need to think about how to explain to you how to set it up and run
Write me in private messages your email

I got it figured out.
I had to add a rule after the block to allow the certian IPs

First you need to configure the "Client" mode. Everything is exactly the same as I showed above. When everything is set up, and the Internet through the router will work, you need to set exactly the same Wi-Fi network settings as on the main router.

custom writings

Absolutely no clue. But everytime it happens ntopng dies because it can't connect to Redis.

@viragomann can you explain this setup a bit more starting from the azure console. The additional IP's would need to be binded to the pFsense WAN interface using powershell first correct?

And due to different reasons.. let say that site-to-to is 10.35.0.0/16.
And openvpn clients need to be 192.168.xxx.xxx
Due to restrictions of already used networks..
And since it is IPSec site to site, they are not local networks, but routes into a local network.
From 172.16.20.0/24 to 10.35.0.0/24 local.