Complex Routing Question



  • Howdy! I have a complex routing issue I'm hoping you all could help me configure. Here is the setup I need:

    Office 1
    VLAN 1
    -IP Range 192.168.5.0/24
    -IPSec VPN to VLAN 1 @ Office 2

    VLAN 2
    -IP Rage 10.50.0.0/24
    -IPSec VPN to VLAN 1 @ Office 3

    VLAN 1 & 2 and their respective IPSec VPN tunnels should be isolated and not route traffic between them.

    Office 2
    VLAN 1
    -IP Range 192.168.2.0/24
    -IPSec VPN to VLAN 1 @ Office 1

    Office 3
    VLAN 1
    -IP Range 192.168.2.0/24
    -IPSec VPN to VLAN 2 @ Office 1

    Can this be done with a single pfSense firewall at Office 1? If so, how should I properly set it up? Much thanks for all the help!!!



  • The short answer is yes. You would just create two tunnels @ office 1 (one for office 2, one for office 3). However, all of the subnets need to be unique across all sites, so you'll have to change the VLAN 1 subnet at either office 2 or office 3.

    At office 1, you'd control inter-vlan access thru firewall rules.

    As far as office 3 accessing VLAN 2 on office 1, from what I remember about IPsec tunnels, what's allowed thru the tunnel is explicit on both sides. So, it will only allow what you configure to be allowed. Worst case, you could configure a firewall rule as a failsafe, but there should be an implicit deny to everything that isn't configured to be allowed thru the tunnel.



  • Or, if you can't change the IP addressing of the offices, use binat translation on your tunnels.


  • Netgate Administrator

    Interesting. It may not actually be a problem since although you have the same remote subnet at offices 2 and 3 the local subnet for each policy will be different at Office . Thus no policy conflict, traffic can only match one SPD.

    However you could not have a tunnel between offices 2 and 3 nor reach those by going through office 1. Without NAT somewhere at least.

    Steve



  • @stephenw10 said in Complex Routing Question:

    Interesting. It may not actually be a problem since although you have the same remote subnet at offices 2 and 3 the local subnet for each policy will be different at Office . Thus no policy conflict, traffic can only match one SPD.

    However you could not have a tunnel between offices 2 and 3 nor reach those by going through office 1. Without NAT somewhere at least.

    Given both Office 2 & 3 have the same subnet, how would Office 1 know which one to send traffic to? Put 2 & 3 on different subnets.


  • Netgate Administrator

    Because in IPSec the tunnel is policy based (unless you use VTI) so the source and destination have to match. Here each subnet at office 1 goes to a different remote office so it can only ever match one policy.

    I agree it would be better to have unique subnets everywhere.

    Steve



  • This post is deleted!