DMZ to multi-WAN over VPN
-
Hi
I'm looking for some help with firewall configuration for my usecase.
The goal is to allow a private/secure network located at siteA (DMZ) to access remote siteB over redundant VPN (2xOpenVPN based) connectionsSiteB-VPN-Server1 <-> WAN_ISP1 <-> SiteA-GW <->LAN <-> PFSense <-> DMZ
SiteB-VPN-Server2 <-> WAN_ISP2 <----^My original idea was to create gateway for each VPN connection, add GWs to gateway groups and add a firewall rule to route all traffic from DMZ through new GW group.
It works fine until reboot. After reboot I have to reload firewall rules once VPN connections are established. As far as I can tell the problem with my approach is GW Group is empty when pfsense starts. and firewall rules are not reloaded when new interface is added to the group.
When I reload firewall when VPNs are up and running this is what I see rules.debug
GWRR_VPN = " route-to { ( ovpnc1 A.B.C.D ) ( ovpnc2 x.y.z.q ) } round-robin "
pass in on { vmx0 } $GWRR_VPN inet from $DMZ to ! $LAN_ALL tracker 1569033357 keep state label "USER_RULE"If I reboot pfsense GWRR_VPN is empty and remains empty until I reload firewall
so effectively the rule becomes
pass in on { vmx0 } inet from $DMZ to ! $LAN_ALL tracker 1569033357 keep state label "USER_RULE"Any recommendations ? What is a proper way to route traffic through a particular interface or interface group and block it otherwise (if interface/gateway is down/unavailable)