Site-to-site wan traffic through site B BUT with exceptions

  • Hi,

    I want to route all my internet traffic through site B, but I have to make some exceptions.

    To do this I made a simple S2S Setup - LAN<-> with Traffic Rules to allow the traffic.

    At this point I'm able to connect to internet sites with my public IP on site B, but now I need to make an exception for IP

    I though I can do this by simple add a firewall rule on site A and specify the gateway, but this doesn't work - the whole traffic from site A (LAN 2 WAN) get to site B.


    WAN - A                                    WAN - B
          |                                              |
          |                    S2S ipsec            |
        FW - Site A        –------      FW - Site B
          |                                              |
        LAN (                  LAN (

    I also tried to use the usual P2 setting LAN-A <-> LAN-B but add an additional gateway (with property - allow outside interface range on) but this also does not work.

    All help is gratefully accepted.

  • Rebel Alliance Developer Netgate

    You can't make exceptions for IPsec like that. It isn't routed, it uses security policies defined in the kernel. You can't bypass these completely with policy routing because the kernel won't allow the traffic to take a path that doesn't match the security policy.

    If you use OpenVPN it would work exactly like you want.

  • Hi jimp,

    thanks for your answer, so if I'm understanding you correctly, this does also mean that I cannot use a additional gateway sided on site B? (the "Use non-local gateway" option)

    Unfortunately OpenVPN is not a Option because of the missing support on site-B

  • Rebel Alliance Developer Netgate

    Gateways and routing mean nothing to IPsec. Traffic either matches the P2 definition or it doesn't.

  • LAYER 8 Global Moderator

    OpenVPN is not a Option because of the missing support on site-B

    Why not just update site B then - say put in a pfsense box.. Problem solved.

  • I think I solved it by myself.

    My solution:

    IPsec Transport mode between Site A and Site B
    GRE Tunnel over the ipsec secured connection
    Custom Gateway with custom static routes.

Log in to reply