Problems routing traffic while connected to IKEv2 VPN server behind pfSense



  • Greetings,

    I think this is the most appropriate place for my question; but if anyone thinks this would be better posted elsewhere, please let me know.

    End state:  I am trying to setup my network to allow an 'always on' VPN connection for iPhones and iPads as well as an 'as desired' connection for others. Additionally, I would like to categorize the connections using separate certificates and subsequently via subnets so that 'Adults' are on one Virtual IP subnet (10.9.0.0/27), while 'Teens' and 'Children' use separate certificates and separate subnets (10.8.0.0/27 & 10.7.0.0/27, respectively).  As I understand it, I can't use the IPSEC VPN module integrated into the pfSense router because it won't allow more than one mobile client setup. My proposed setup is to have different certificates used to authenticate and then once connected to the VPN server to use the different subnets issued for restricting traffic and scheduling rules in order to facilitate parental controls. (see diagram)

    I have my pfSense router set up to allow incoming connections (NAT port forwarding 4500 & 500) to my StrongSwan VPN server that is set up behind the firewall and using IKEv2 authentication.  On pfSense, I set up a gateway to IP 10.0.1.16 and a static route from network 10.9.0.0/27 to use the '10.0.1.16-gateway.'  And I have added a rule on the LAN to allow all traffic from 10.9.0.0/27 to any. (see pictures) I can connect to my VPN from inside my home network as well as outside via cellular or wifi; however the traffic is not routing to the local network or to the internet.

    If pfSense alone will allow me to achieve my end state, please correct me, as I would much prefer a single box solution. However, I could not find any way to get that to work, so I resorted to using a StrongSwan server on my Synology NAS. This is working very well with regard to allowing multiple connections with separate certificate authentication.  Oddly enough, with my original TP-Link router, I was able to get most of the desired results using a couple of functions built into the router called "Multi-Nets Nat" and of course some static routing rules.  However, the TP-Link router is not nearly as robust as the pfSense router with regard to logging, traffic shaping, scheduling rules, etc.

    I have read on some posts that my problem has something to do with asymmetric routing, and that the "best" solution might be to place the VPN server on a separate subnet from my local network. Is there no solution like on the TP-Link?  (an unfair question, I know, considering I don't really understand why it worked or why pfSense isn't. haha) I do have a switch capable of defining VLANs and can isolate the one NIC (currently assigned IP 10.0.1.16) on my NAS that is primary for my VPN connection. However, I don't quite understand how the routing should look. If I were able to place the interface on a VLAN how do I configure pfSense to assign an address of 10.2.0.1, and how would I set up pfSense to route/NAT traffic correctly?  Thank you for your time and I appreciate any assistance.

    **Edited:  changed photos embed links in hopes they would show
    ![Network Diagram.png](/public/imported_attachments/1/Network Diagram.png)
    ![Network Diagram.png_thumb](/public/imported_attachments/1/Network Diagram.png_thumb)
    ![NAT port forwarding.png](/public/imported_attachments/1/NAT port forwarding.png)
    ![NAT port forwarding.png_thumb](/public/imported_attachments/1/NAT port forwarding.png_thumb)
    ![LAN rules.png](/public/imported_attachments/1/LAN rules.png)
    ![LAN rules.png_thumb](/public/imported_attachments/1/LAN rules.png_thumb)


Log in to reply