I have an odd issue that I can't seem to figure out. Right now I have two pfSense boxes connected via an IPsec tunnel:

The LAN interface on "gw1" is 10.12.1.254.
The LAN interface on "gw2" is 10.12.9.254.
Both boxes have WAN interfaces connected directly to the Internet, and are performing NAT for their respective LANs.

My phase 1 and 2 entries seem correct. Rules on both boxes have been set to allow all traffic to/from the tunnel. A machine within 10.12.1.0/24 can ping a machine within 10.12.9.0/24, and vice versa. This is all normal.

The trouble has to do with traffic from other subnets. I have a Nortel switch (ERS5500) at the same site where "gw1" is located. Some of the ports - such as the one which "gw1" is connected to - are assigned to VLAN 10. There are also a few other VLANs, such as VLAN 20, which is 10.12.2.0/24.

The Nortel acts as a router among the VLANs and their subnets. Any traffic not bound for one of these subnets (typically Internet-bound traffic) is sent to "gw1". This also seems to work fine.

Now that you know the layout, here's the problem. Packets going from 10.12.1.x to 10.12.9.x are routed correctly: source machine, "gw1", "gw2", destination machine. But packets going from other subnets to 10.12.9.x are routed to the Internet: source machine, Nortel, "gw1", and onward to our ISP's router. Oops?

I'm wondering why pfSense is sending these packets out to the Internet, rather than through the IPsec tunnel - and what I can do to fix it. Any ideas?