Complex Routing Question

TheQuank · Dec 5, 2018, 4:56 PM

Howdy! I have a complex routing issue I'm hoping you all could help me configure. Here is the setup I need:

Office 1
VLAN 1
-IP Range 192.168.5.0/24
-IPSec VPN to VLAN 1 @ Office 2

VLAN 2
-IP Rage 10.50.0.0/24
-IPSec VPN to VLAN 1 @ Office 3

VLAN 1 & 2 and their respective IPSec VPN tunnels should be isolated and not route traffic between them.

Office 2
VLAN 1
-IP Range 192.168.2.0/24
-IPSec VPN to VLAN 1 @ Office 1

Office 3
VLAN 1
-IP Range 192.168.2.0/24
-IPSec VPN to VLAN 2 @ Office 1

Can this be done with a single pfSense firewall at Office 1? If so, how should I properly set it up? Much thanks for all the help!!!

marvosa · Dec 6, 2018, 3:10 AM

The short answer is yes. You would just create two tunnels @ office 1 (one for office 2, one for office 3). However, all of the subnets need to be unique across all sites, so you'll have to change the VLAN 1 subnet at either office 2 or office 3.

At office 1, you'd control inter-vlan access thru firewall rules.

As far as office 3 accessing VLAN 2 on office 1, from what I remember about IPsec tunnels, what's allowed thru the tunnel is explicit on both sides. So, it will only allow what you configure to be allowed. Worst case, you could configure a firewall rule as a failsafe, but there should be an implicit deny to everything that isn't configured to be allowed thru the tunnel.

mikee · Dec 9, 2018, 10:45 AM

Or, if you can't change the IP addressing of the offices, use binat translation on your tunnels.

stephenw10 · Dec 9, 2018, 11:55 PM

Interesting. It may not actually be a problem since although you have the same remote subnet at offices 2 and 3 the local subnet for each policy will be different at Office . Thus no policy conflict, traffic can only match one SPD.

However you could not have a tunnel between offices 2 and 3 nor reach those by going through office 1. Without NAT somewhere at least.

Steve

JKnott · Dec 10, 2018, 2:52 AM

@stephenw10 said in Complex Routing Question:

Interesting. It may not actually be a problem since although you have the same remote subnet at offices 2 and 3 the local subnet for each policy will be different at Office . Thus no policy conflict, traffic can only match one SPD.

However you could not have a tunnel between offices 2 and 3 nor reach those by going through office 1. Without NAT somewhere at least.

Given both Office 2 & 3 have the same subnet, how would Office 1 know which one to send traffic to? Put 2 & 3 on different subnets.

stephenw10 · Dec 10, 2018, 3:08 AM

Because in IPSec the tunnel is policy based (unless you use VTI) so the source and destination have to match. Here each subnet at office 1 goes to a different remote office so it can only ever match one policy.

I agree it would be better to have unique subnets everywhere.

Steve

TheQuank · Dec 10, 2018, 8:30 PM

Thanks for all the replies! I'm unable to change the subnets. Are there set of instructions I could follow to setup VTI or binat? I quick look of Google yields much discussion, but not much implementation. Thanks!!!

stephenw10 · Dec 10, 2018, 9:53 PM

You probably don't want VTI here. That would then be routed which would mean you'd need to NAT and you can't NAT on VTI.

Have you tried setting this up with normal policy based IPSec? What was the result?

If you need to NAT the traffic that is covered here:
https://www.netgate.com/docs/pfsense/book/ipsec/choosing-configuration-options.html#nat-binat-translation

Steve

TheQuank · Dec 11, 2018, 12:25 AM

Actually, surprisingly it seems to all be working with just the phase 2 networks set correctly.

stephenw10 · Dec 11, 2018, 3:33 AM

Nice. I expected that to work but I could also easily imagine something unexpected getting in the way.

Steve