Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    0.0.0.0/0 tunnel breaks load balancer

    IPsec
    2
    3
    652
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JSargeSter last edited by

      Ladies and gents,

      I am using an IPSec tunnel to forward web traffic to a remote server on one of my local VLAN's. That isnt my issue, cause it works flawlessly. However, i also have a dual wan setup, and load balance between them. It seems that none of my LAN rules are responding to the gateway's i set regardless of what i do. I've boiled it down to the Local/Remote 0.0.0.0/0 net set in the IPSec tunnel to foward the traffic on the. I can choose between either WAN for the IPSec tunnel and it will use it. Also, if i specifically change the default gateway, my local traffic will then re route to that said gateway.

      Is there a specific static route or something i can do to re-gain functionality of both of my WAN's?

      IPSec settings:

      Near side
      Local subnet - VLANx NET
      Remote subnet - 0.0.0.0/0

      Far side
      Local subnet - 0.0.0.0/0
      Remote subnet - (my VLANx net)
      *NAT RULE for VLANx net to translate to the wan interface

      anyhow, im pretty sure any type of 0.0.0.0/0 route is going to throw things bonkers as far as load balancing and failover goes. my question is, what can i do to achieve both of these things at the same time.

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        IPsec does not route. It does not respect the routing table, the kernel grabs any traffic matching the Phase 2 definitions and pushes it into IPsec.

        There is no way to route around or bypass that behavior when you are using 0.0.0.0/0 as a remote network in IPsec, since that means "put everything into IPsec no matter what".

        It's just doing what it's been told to do.

        So somehow you'd have to either move the IPsec off to another box on a different interface, so this box can make proper routing decisions, or you'll have to change the P2s so they don't match so broadly, at least on the local side.

        Or use OpenVPN instead of IPsec where all of this works without much extra effort.

        1 Reply Last reply Reply Quote 0
        • J
          JSargeSter last edited by

          Yeah, OpenVPN did the trick for me.

          Thanks for the reply.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy