Mobile IPSec: let the user choose between 0.0.0.0/0 or only our internal net through VPN
our mobile users sometimes need to use our VPN for privacy purposes (e.g. in hotels) where all traffic should go through our box.
At the same time, when they're at home or the distributed offices, they only need some internal nets going through our VPN - having the local subnet of 0.0.0.0/0 cuts them off from their multicast-dns-domains for e.g. TimeMachine backups or the local AppleTV, so the local subnet should be limited to our internal networks. Bonus points if name resolution for our internal domains goes through the pfsense-Nameserver, and all other domains somewhere else.
I can configure our IKEv2-VPN for either 0.0.0.0/0 or our internal net, but so far I've been unable to implement both ways at the same time on the same external interface.
Is that even possible? If so, how?