Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec: pfSense - Fritzbox routing question

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 770 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bdk-brhl
      last edited by

      Hi Folks,

      beeing still a newbie with pfSende and all this network stuff I managed to establish a site-2-site VPN between my pfSense and a Fritz Box 7490 following https://znil.net/index.php?title=FritzBox_-_Site_to_Site_VPN_zu_pfSense_2.2

      I run the pfSense as firewall router behind a netgear router doing DSL (I plan to replace this with a vigor 130 so that the pfSense may also do the DSL stuff, but at the moment the general setup is working.

      The Fritz Box is modem and router.

      On the pfSense side (lets say: home) I have three networks:

      WAN => 192.168.100.0/30
      INT1 => 192.168.200.0/27
      INT2 => 192.168.300.0/29

      On the Fritz Box (lets say: remote) there is only one network

      LAN => 192.168.500.0/24

      On the pfSense (home) I added an IPSec Firewall Rule according to the howto

      PASS - any:any

      and on the remote site I used for the Fritz config the folowing (I guess, this is the relevant part)

      phase2remoteid {
          ipnet {
            ipaddr = 192.168.100.0;
            mask = 255.255.255.252;
            }
          }
        phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
        accesslist = "permit ip any 192.168.100.0 255.255.255.252";
        }

      Now I fould tons of posts to explain, how to route all traffic through this tunnel - but this is what is NOT supposed to be. I only want traffic from the remote network to my home networks and from the home networks to the remote network.

      Actually there should only be traffic allowed between dedicated services in these networks.

      Could someone please give me a hint where to start here as I'm a bit stuck how to modify my config?

      thanx

      Mat

      1 Reply Last reply Reply Quote 0
      • M Offline
        mikee
        last edited by

        Hi Mat.

        You can set the firewall rule as you like. You do not need to use an 'allow any any'. In the IPSec tab you can write the rules you want.

        If you want that only service 53 pass thru between net a and net b your can write a rule that only allow traffic from a:53 (or whatever) to b:53. It is the same as any other firewall rule.

        Regards.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.