Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route Internet Traffic over S2S VPN

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 531 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leacho73
      last edited by

      Hi,

      I've got a S2S VPN between 2 PFSense boxes, which each have their own internet connections via PPPoE.

      I want to be able to route all traffic from site B through the external internet connection of Site A - however, no matter what I do (I've even installed 2 vyos routers to route 0.0.0.0/0 via Site A) the PFSense box at Site B still routes the traffic out of its local PPPoE connection.

      Is it possible to stop this behaviour and route internet traffic through the VPN and out of Site A?

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Use OpenVPN for that. If you REALLY want to use IPsec, use a VTI.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • L
          leacho73
          last edited by leacho73

          Thanks @Derelict ,

          I've reconfigured both ends as a VTI now, and I can route between the two ends just fine, however, when the traffic from site b hits the PFSense box - its routing it out of its local PPPoE connection.

          I think the issue is that because the IPSec Interface is virtual - I can't connect any other device to it - so I naturally have to send all traffic through another interface, on the PFSense box in order to hop over to the IPSec interface - and it defaults it out the PPPoE connection.

          Any other ideas? Could I bridge the 'physical' (vmnet3) interface with the IPsec Interface?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            No bridge. Policy route your internet traffic out the VTI.

            Just like any other "VPN as WAN" solution like OpenVPN.

            You will need to NAT for the source addresses on the side that has the internet WAN being used.

            https://www.youtube.com/watch?v=lp3mtR4j3Lw

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 1
            • L
              leacho73
              last edited by

              Perfect works a treat, thank you @Derelict

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.