pfsense routing help needed

  • We have two different datacenters, I have one pfsense firewall on location A (US) with local ip: & Live ip: and other one pfsense firewall on location B (UK) with local ip: Live ip: Additionally, I have IPsec tunnel between both the pfsense.

    Now I want to shut down my server except Pfsense on location A (US) and shift the vms from Location A to Location B. But I want to keep my in/out traffic via Location A (US) firewall only. How can I route the traffic of all the VMs from Location B pfsense to Location A pfsense. So that if any request comes on LocationA pfsense it will redirect the traffic to vms behind Location B Pfsense and same for the outgoing traffic should be redirected from Location B pfsense to Location A pfsense.

    Thanks in Advance
    Vishal Gajjar

  • Netgate Administrator

    What sort of bandwidth do you require? It may not be possible to do that via IPSec.

    Are you going to move the subnet to the UK side? Or put the US VMs in 20.0/24?


  • LAYER 8 Global Moderator

    Even if you have all the bandwidth in the world and ipsec overhead was no big deal... The added latency is going to be HORRIBLE..

    What if in the UK... You want a user to hit your US IP, have the traffic go all the way back over to the UK over your vpn and then then back again to the US and then Back again to the UK..

    Seems like HORRIBLE ideal - unless you have some fix for the laws of physicals and latency ;)

  • Are you trying to failover from one datacenter to the other? I.e., is everything "production" in one datacenter? Or are both datacenters "production"/"live"?

  • @stephenw10

    We will be only moving VMs in 20.0/24. for one week, so we can re-structure 100.0/24. That's the motive.

    Even we want to make it work like in/out traffic should go via the US only.


  • So, lets say you rent another host in the same uk dc for a week, ask the dc to move the ip to that host, do the restructure and move back.
    Much less of a hassle, to say the least.

  • @msf2000
    No, we are not trying to failover, we want to re-structure our data center, so for a few days, we want to move and want to route in/out traffic via the US.


  • Netgate Administrator

    Mmm, I would think there are better ways to do this. But if you wanted to do it like this you will need to setup an OpenVPN tunnel between the two sites to route traffic across, you can't route over IPSec for this. You will need the OpenVPN interfaces assigned at least at the UK end to get reply-to states on traffic coming across the tunnel. Then:
    Move the VMs to the subnet in the UK. That may well be non-trivial!
    Change your port forwards in the US firewall to point to the new internal IPs.
    Add policy routing rules on the UK firewall to route traffic from those VM out via the US if that is required for traffic initiated by the VMs.
    Add outbound NAT rules on the US side for the 20.0/24 subnet to allo that traffic out.


Log in to reply