Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to handle IPsec with Dual WAN?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      andy
      last edited by

      I have 2 WAN connections: DSL and Cable.  I have an IPsec VPN setup on the DSL WAN (primary WAN interface) for 10.0.0.0/16.

      I can't figure out how to route all traffic to 10.0.0.0/16 from my LAN 192.168.100.0/24 over the VPN.  I tried adding a LAN firewall rule forcing all traffic for the 10-net to my WAN IP gateway, but this doesn't work.

      If I try to ping a host on the remote network, my state table shows it going out my internet interface:

      
icmp  	192.168.100.11:18245 -> <dsl public="" ip="">:23317 -> 10.0.0.1  	0:0</dsl>
      1 Reply Last reply Reply Quote 0
      • H Offline
        hoba
        last edited by

        You have to use gateway default instead of the interface IP of your WAN. In your case you route the traffic directly to the upstream gateway so  ipsec doesn't even see it and the traffic doesn't get encapsulated.

        1 Reply Last reply Reply Quote 0
        • A Offline
          andy
          last edited by

          Thanks, that makes sense.  I'm still unable to ping the remote network.

          Should I be able to ping the remote network from the pfsense shell?  I'm not clear on how routing is handled from the local pfsense box.

          One interesting thing, if I try a traceroute to the remote network from my LAN, I get this:

          
traceroute to 10.0.0.1 (10.0.0.1), 64 hops max, 40 byte packets
 1  pfsense (192.168.100.1)  1.975 ms  1.560 ms  1.506 ms
 2  pfsense (192.168.100.1)  104.110 ms  107.204 ms  106.243 ms
 3  * * *

          I think this means it's reaching the other side of the tunnel at least.

          1 Reply Last reply Reply Quote 0
          • H Offline
            hoba
            last edited by

            You need to use the lan ip if as source if you try to ping through the tunnel from the pfsense itself. Try from a client behind the pfSense or use as source the LAN IP. At the webgui for example use interface lan at diagnostics>ping. Other option is to add a static route to remotesubnet via gateway lan IP of local pfSense.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.