Static route to overlapping IPSEC subnet



  • Hello,

    I have a working instance of pfSense 2.4.2 with the following setup :

    • LAN is on 10.1.1.0/24 (pfsense is 10.1.1.244)
    • I have an IPSEC tunnel though WAN with remote subnet 192.168.0.0/16 which works fine
    • The LAN network has an other router on 10.1.1.254

    I need to access a network through this second router. This network is 192.168.1.0/24 (overlapping with IPSec remote subnet).

    On a server in the LAN network (with default gateway set to pfsense (10.1.1.244)), if I add a route to 192.168.1.0/24 via 10.1.1.254 (other router), it works fine.

    But when I add this static route in pfSense, I can't access this subnetwork. It seems, looking in Diagnostic/States that it sends packets though the IPSec interface instead of LAN.

    I also tried to specify a gateway in firewall rules for this subnet without success.

    Is there any way to achieve this setup ?

    Thank you very much for your help.

    Regards,

    Fred


  • Netgate

    It might work if you use policy-based routing for the 192.168.1.0/24 destination on the LAN interface, bypassing IPsec.

    It's a big might.

    It sounds like you tried that though. You might want to post what you've tried because, at a minimum, that should at least send the traffic out the correct gateway instead of IPsec.

    That's why it is not recommended you configure large swaths of space like 192.168.0.0/16 anywhere. Running into conflicts with other sites is pretty much inevitable when you do that.