Define exceptions to Phase 2 tunnel policy?



  • Running 2.3.4-RELEASE (amd64) on a Netgate SG-8860.

    Currently have a scenario like this:

    Subnet A (/27): Jump box
    Subnet B (/27): Hosts

    Both subnets are directly connected to the firewall.

    Firewall has a Phase 2 config that tunnels everything from (Local) Subnet B to (Remote) 0.0.0.0/0; the idea is for anything Internet-bound on Subnet B to route thru the tunnel, where Internet service is actually provided by an endpoint on the other side of that tunnel.

    However, with the Remote set to 0.0.0.0/0, the firewall is also trying to tunnel reply packets back to traffic originating from the Jump Box in Subnet A.

    If I could somehow "blacklist" Subnet A from the tunnel policy so that's not tunneled, but everything else is, that would be ideal!  And I think would solve the problem.  But I don't think I see a way to do this with existing configuration options.  Is there a way to do that, or some other way of working around this problem?  It seems to tunnel the traffic regardless of whether or not a state table entry exists that did not come from the tunnel.

    Since the Remote side of Phase 2 is being used for all Internet traffic it's not feasible to define individual networks here, unless I define a ton of P2 entries that skirt around Subnet A.  Also, I had to split Subnet A into 4 networks for the Local side – 2 /30s, a /29, and a /28 -- and just put the latter 3 into the Local side of P2 -- in order to keep CARP from failing due to the machines being unable to talk to each other within that subnet as this is an HA configuration.  With this being the case, that would even further compound the number of P2 entries I'd need to have if I tried to define all unicast address space in the Remote side.

    Thanks!


Log in to reply