Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Local traffic on a VLAN with a remote gateway

    Scheduled Pinned Locked Moved IPsec
    25 Posts 3 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FauxShow
      last edited by

      So I should submit a bug then, right? More of a new feature I guess.

      We are able to do this with Cisco ASAs btw. It's not like I'm just making up networking concepts.

      brb; gotta reboot my pfsense

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Not a bug.

        When we get routed IPsec in 2.5-ish it might be possible.

        Use an ASA then I guess. FreeBSD IPsec traffic selectors work how they work at this time.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          @derelict not getting why this should be an issue.. There are direct routes in play for the local networks - why would it force it down the tunnel..  Should only go do the default route tunnel if there is no more direct route.

          @fauxshow - why not just do with openvpn vs ipsec?  Then you do a simple policy base routing.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Because the traffic selectors are hit before the routing table. They have no concept of states or anything like reply-to.

            He has a selector source PROXY net dest any (0.0.0.0/0).

            Reply traffic matches that so that's where it goes.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Ah.. Yeah that is a problem…

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.