Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Utilizing single tunnel to be routed to different gateway

    Scheduled Pinned Locked Moved
    NAT
    2
    10
    375
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      depam
      last edited by

      Hi,

      I have 3 PFsense (1 is in cloud and the other 2 are 1100 and 3100 appliances). I have setup VPN tunnels to each of them (Site A <--> Site B and C and Site B --> Site C). For Site B, i have another tunnel configured to two different site (Site D and Site E). I have clients on Site C where I want to route traffic via Site B on different gateways. For OpenVPN, i understand the site will be using the Tunnel IP to do policy routing. Is there a way I can differentiate client on Site C so that policy routing can be done and specify a gateway on SIte B? Thanks in advance.

      V 2 Replies Last reply Reply Quote 0
      • V
        viragomann @depam
        last edited by

        @depam
        As long as you only route the traffic, but do not NAT, you would see the origin client IP on the remote site.
        So you can add the desired IPs to aliases and policy route them on the incoming interface at B to wherever you want.

        D 1 Reply Last reply Reply Quote 0
        • D
          depam @viragomann
          last edited by

          @viragomann Thanks. How do I do that? When i applied policy routing on a client from Site C for example, i specify the OpenVPN gateway interface which in turn arrive at the other end using the OVPN interface IP. If that is possible then its easier for me to route each clients/subnets with a finer grain of control. Thanks in advance

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @depam
            last edited by viragomann

            @depam said in Utilizing single tunnel to be routed to different gateway:

            When i applied policy routing on a client from Site C for example, i specify the OpenVPN gateway interface which in turn arrive at the other end using the OVPN interface IP.

            So you might have an outbound NAT rule in place at C doing masquerading on this traffic. As I mentioned above, you must not do that.

            To route the traffic properly without NAT remove the outbound NAT rule. And only nat the traffic at B on the WAN interfaces.

            D 1 Reply Last reply Reply Quote 0
            • D
              depam @viragomann
              last edited by

              @viragomann Thank you. I thought the outbound NAT is required so that subnet can go out to VPN interface on Site it is on. Are you talking about site C to Site B hosts? If I needed to route internet traffic thru the other tunnel and use a VPN on Site B won't that need to be defined on outbound? Im looking at something like a pure traversal of traffic. The flow looks something like this:

              1.) Site C host1 --> Site A --> Site B --> OVPN GW1 --> internet1
              2.) Site C host2 --> Site A --> Site B --> OVPN GW2 --> internet2
              3.) Site C host3 --> Site B host 1

              I managed to make flow 3 above worked without issue. I had issue with the two other flows and what settings I need to do so that Site B will receive the traffic from Site C clientx IP address and perform policy routing on Site B thru the different gateway. Thanks in advance.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @depam
                last edited by

                @depam
                Outbound NAT is required, where the traffic goes out to a network, which has no route to the origin client IP. E.g. on the WAN interface.
                As long as the origin IP is known and there are routes for it in place, NAT is not required.

                So in your case for 1 and 2 you have to add an outbound NAT to the WAN interfaces at B for the source of C subnet, but don't nat the traffic anywhere before in the path.

                What I mentioned above regarding the interface rules is not even needed in this case. So I will edit my post and remove this to prevent confusion.

                D 1 Reply Last reply Reply Quote 0
                • D
                  depam @viragomann
                  last edited by

                  @viragomann Thank you for the guidance. I am trying to trace my outbound NATs and VPN configuration. It seems that I have outbound NAT from Site C to Site A as it needs to traverse traffic to A before going to B. Then on Site A, I have another outbound NAT from VPN address (Site A to C) going to B. If i understand your inputs, I guess I need to do following:

                  1.) Remove outbound NAT on Site A for Subnet C using OVPN address
                  2.) On Site A OVPN Tunnel, add Site C as IPV4 remote address together with subnets on Site B that it needs to access
                  3.) Create policy routing for Site C to Site A
                  4.) Create policy touring for Site A to Site B

                  Hope I got it correctly cause I wanted to lessen the interruption when i apply it. Thanks in advance.

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @depam
                    last edited by

                    @depam said in Utilizing single tunnel to be routed to different gateway:

                    Site A <--> Site B and C and Site B --> Site C

                    From this it's not really between which site you have VPN tunnels.
                    If you have a tunnel between B and C there is no need to route the traffic over A at all.

                    Maybe you can post a diagram which shows all connections and describe how you have the tunnels configured.

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      depam @viragomann
                      last edited by

                      @viragomann Thank you. I have tried to upload the diagram here but its not showing up. Anyway, the latency between Site B and C is quite high hence I want to route it via Site A which is faster since its already in the hosted in AWS cloud. Preferrably, go to Site A but can have the slower connection as backup via Gateway Group. I have tunnels across all sites A, B and C configured with /30 (Peer to Peer TLS) approach similar to the depracated Shared key. In addition, Site B have openvpn client connecting to an external site.

                      I want to route some clients from Site C to traverse traffic to Site B (via Site A) and contol the routing policy in Site B firewall to route it to the external site its connected to. I hope what i mentioned here is understandable.

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @depam
                        last edited by

                        @depam said in Utilizing single tunnel to be routed to different gateway:

                        Anyway, the latency between Site B and C is quite high hence I want to route it via Site A which is faster since its already in the hosted in AWS cloud.

                        I don't get it. If there is high latency from B to C I'd assume, it's either on the B's upstream connection or on C's. So if you go from C > A > B > internet, I'd expect that you have at least the same high latency, since the problematic path is inevitably part of this new path.

                        Preferrably, go to Site A but can have the slower connection as backup via Gateway Group. I have tunnels across all sites A, B and C configured with /30 (Peer to Peer TLS) approach similar to the depracated Shared key. In addition, Site B have openvpn client connecting to an external site.

                        The problem you're facing with this is, if set the routes in the VPN connections with the "Remote Networks" and both VPNs are connected (A <=> B / A <=> C and B <=> C) you would have two routes between B and C. I don't know, which one is taken in this case. I guess, that one which is established at last, but not sure.
                        So I cannot say, that this will work as intended.

                        However, it should work if you desable B <=> C though.

                        How did you configure the gateway groups?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post