One VLAN through WAN address, one VLAN through IPSec

Phatsta

Hey, hope someone could help me see the solution, I think I've stared myself blind here.

I have on one side a PFSense 2.4.2 with 4 interfaces:
WAN: bla.bla.bla.bla
LAN: 192.168.1.1
VLAN100: 172.16.200.254
VLAN200: 10.10.188.254

There's a working IPSec up to other side (VLAN200 to VLAN999) which is a PFSense 2.3.4 with 3 interfaces:
WAN: bla.bla.bla.bla
LAN: 10.10.0.254
VLAN999: 10.255.255.254

What I want to do is route all traffic from 10.10.188.0/24 through 10.255.255.254 gateway (mark, not ALL traffic, just from that specific VLAN). But I can't seem to do that any way. I've tried adding 10.255.255.254 as a gateway in the first router, but it keeps saying "IP does not lie within one of the chosen interface's subnets". So I can't make firewall rule routing through specific gateway. My first thought don't work because of this either; To simply change the outbound NAT for the IF to use the other gateway.

I tried using outbound NAT and just use "other subnet (10.255.255.254)" but that stops traffic on that VLAN completely.

I'm lost. Ideas please!

Derelict

IPsec is not the best solution for that. OpenVPN and policy routing is better. IPsec is not routed. Traffic is forwarded using kernel traffic selectors.

But if you must use IPsec:

You need a Phase 2 traffic selector on the first router for:

Local network: 10.10.188.0/24
Remote network: 0.0.0.0/0

And one on the second router for:

Local network: 0.0.0.0/0
Remote network: 10.10.188.0/24

If you want internet you need to be sure you have outbound NAT on the second router for source network 10.10.188.0/24

Phatsta

Thanks for the reply! I have set it up as this now, and expecting feedback tomorrow. Hope it works! Seems logical though, now when you gave me the answer.

I will also consider OpenVPN next time, maybe that'll be easier in fact. Thanks for that.

Phatsta

Hey, I can't troubleshoot because I'm nowhere near the customer site, but customer called and said their internet is not working at all. Changed back the remote network @ router1 to the initial settings meanwhile, but I can't really understand why it didn't work. They way I set it up was;

Phase 2 of router 1:
Local network: (IF VLAN200 subnet) 10.10.188.0/24
Remote subnet: 0.0.0.0/0

Phase 2 of router 2:
Local subnet: 0.0.0.0/0
Remote network: 10.10.188.0/24

And in firewall - NAT - Outbound:
WAN / 10.10.188.0/24 / * / * / * / WAN address / * / Randomize port

Derelict

And in firewall - NAT - Outbound:
WAN / 10.10.188.0/24 / * / * / * / WAN address / * / Randomize port

On what router?

Phatsta

I had to try again just to make sure I didn't f-up somewhere but I didn't. The outbound rule was on second router. Had an onsite user on the phone while trying but as soon as I enable the IPSec internet dies on that subnet.

Router 1:
IPSec established
Phase 2 local subnet: (IF VLAN200) 10.10.188.0/24
Phase 2 remote subnet: 0.0.0.0/0

Router 2:
IPSec established
Phase 2 local subnet: (network) 0.0.0.0/0
Phase 2 remote network: 10.10.188.0/24
Manual outbound NAT: WAN / 10.10.188.0/24 / * / * / * / WAN address / * / Randomize port

Derelict

Does the IPsec come up? Does the Phase 2 establish?

Do the IPsec rules on the second router pass all traffic?

In the end, anything with a 0.0.0.0/0 destination is pretty difficult with IPsec site-to-site. I have not actually tested this personally.

Phatsta

Yes IPSec is coming up, both phase 1 and 2. Yes, for testing, rules are set to "allow all", all ports all ip's.

I'm actually replanning and trying with OpenVPN right now. Might be doable.

Phatsta

Derelict,

I have now changed to OpenVPN but my success rate is about 0 still. I get the tunnel up and running. And If I make outbound NAT rules and check the "Force all client-generated IPv4 traffic through the tunnel" I can even make all the subnets route through my OpenVPN server. But when I try to limit to just one subnet, it just doesn't work.

Site A:
OpenVPN server, all default settings except "Force all client-generated…" is unchecked
LAN: 10.10.0.250/24
OpenVPN subnet: 10.250.250.0/24

Site B:
OpenVPN client, all default settings except in custom options: "route-nopull;"
Subnet1: 192.168.138.0/24
Subnet2: 172.16.200.0/24
Subnet3: 10.10.188.0/24
OpenVPN IP: 10.250.250.2
OpenVPN GW exists with IP: 10.250.250.1
Outbound NAT rule: IF:OpenVPN, source:10.10.188.0/24, NAT-address:OpenVPN address

What I try to do is let subnet 1 and 2 go through the local gateway, and just route subnet 3 through the tunnel. This doesn't happen. I can ping OpenVPN gateway at 10.250.250.1 but nothing further than that. Also tried adding outbound NAT rule at site A but it didn't make a difference.

Could you point me in the right direction?

Derelict

Please provide more details such as the type of OpenVPN you set up (SSL/TLS, Etc)

And what you are putting in the Local and Remote Network fields on each side, the Tunnel network settings, etc.

Phatsta

@Derelict:

Please provide more details such as the type of OpenVPN you set up (SSL/TLS, Etc)

P2P SSL/TLS, multihomed. Both routers are running version 2.4.2 which are confusing me somewhat, because they don't seem to have the same options as older versions.

@Derelict:

And what you are putting in the Local and Remote Network fields on each side, the Tunnel network settings, etc.

I didn't put any networks in local / remote. I don't even have an option for remote in site A, which I find wierd.

My aim was to manually route subnet 3, so I kept out of adding too much options.

Derelict

PTP SSL/TLS with a tunnel network larger than a /30 puts the server side into server mode.

This means that you have to have remote networks on the server configuration to get the traffic into OpenVPN then you also have to have Client-Specific overrides with the remote networks set to tell OpenVPN which client to send the traffic to. Even if there is only one.

You might try setting the tunnel network to /30 ands see if things start to make more sense. Especially if there will only ever be one client.