Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-site wan traffic through site B BUT with exceptions

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hege
      last edited by

      Hi,

      I want to route all my internet traffic through site B, but I have to make some exceptions.

      To do this I made a simple S2S Setup - LAN<->0.0.0.0/0 with Traffic Rules to allow the traffic.

      At this point I'm able to connect to internet sites with my public IP on site B, but now I need to make an exception for IP 10.20.30.40/32

      I though I can do this by simple add a firewall rule on site A and specify the gateway, but this doesn't work - the whole traffic from site A (LAN 2 WAN) get to site B.

      Setup:

      WAN - A                                    WAN - B
            |                                              |
            |                    S2S ipsec            |
          FW - Site A        –------      FW - Site B
            |                                              |
          LAN (10.20.30.0/24)                  LAN (10.20.31.0/24)

      I also tried to use the usual P2 setting LAN-A <-> LAN-B but add an additional gateway (with property - allow outside interface range on) but this also does not work.

      All help is gratefully accepted.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You can't make exceptions for IPsec like that. It isn't routed, it uses security policies defined in the kernel. You can't bypass these completely with policy routing because the kernel won't allow the traffic to take a path that doesn't match the security policy.

        If you use OpenVPN it would work exactly like you want.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • H
          hege
          last edited by

          Hi jimp,

          thanks for your answer, so if I'm understanding you correctly, this does also mean that I cannot use a additional gateway sided on site B? (the "Use non-local gateway" option)

          Unfortunately OpenVPN is not a Option because of the missing support on site-B

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Gateways and routing mean nothing to IPsec. Traffic either matches the P2 definition or it doesn't.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              OpenVPN is not a Option because of the missing support on site-B

              Why not just update site B then - say put in a pfsense box.. Problem solved.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • H
                hege
                last edited by

                I think I solved it by myself.

                My solution:

                IPsec Transport mode between Site A and Site B
                GRE Tunnel over the ipsec secured connection
                Custom Gateway with custom static routes.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.