• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Static route to overlapping IPSEC subnet

Scheduled Pinned Locked Moved Routing and Multi WAN
2 Posts 2 Posters 747 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    Fred9176
    last edited by Dec 21, 2017, 3:53 PM

    Hello,

    I have a working instance of pfSense 2.4.2 with the following setup :

    • LAN is on 10.1.1.0/24 (pfsense is 10.1.1.244)
    • I have an IPSEC tunnel though WAN with remote subnet 192.168.0.0/16 which works fine
    • The LAN network has an other router on 10.1.1.254

    I need to access a network through this second router. This network is 192.168.1.0/24 (overlapping with IPSec remote subnet).

    On a server in the LAN network (with default gateway set to pfsense (10.1.1.244)), if I add a route to 192.168.1.0/24 via 10.1.1.254 (other router), it works fine.

    But when I add this static route in pfSense, I can't access this subnetwork. It seems, looking in Diagnostic/States that it sends packets though the IPSec interface instead of LAN.

    I also tried to specify a gateway in firewall rules for this subnet without success.

    Is there any way to achieve this setup ?

    Thank you very much for your help.

    Regards,

    Fred

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Dec 21, 2017, 6:00 PM

      It might work if you use policy-based routing for the 192.168.1.0/24 destination on the LAN interface, bypassing IPsec.

      It's a big might.

      It sounds like you tried that though. You might want to post what you've tried because, at a minimum, that should at least send the traffic out the correct gateway instead of IPsec.

      That's why it is not recommended you configure large swaths of space like 192.168.0.0/16 anywhere. Running into conflicts with other sites is pretty much inevitable when you do that.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received