• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Complex Routing Question

Scheduled Pinned Locked Moved General pfSense Questions
10 Posts 5 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    TheQuank
    last edited by Dec 5, 2018, 4:56 PM

    Howdy! I have a complex routing issue I'm hoping you all could help me configure. Here is the setup I need:

    Office 1
    VLAN 1
    -IP Range 192.168.5.0/24
    -IPSec VPN to VLAN 1 @ Office 2

    VLAN 2
    -IP Rage 10.50.0.0/24
    -IPSec VPN to VLAN 1 @ Office 3

    VLAN 1 & 2 and their respective IPSec VPN tunnels should be isolated and not route traffic between them.

    Office 2
    VLAN 1
    -IP Range 192.168.2.0/24
    -IPSec VPN to VLAN 1 @ Office 1

    Office 3
    VLAN 1
    -IP Range 192.168.2.0/24
    -IPSec VPN to VLAN 2 @ Office 1

    Can this be done with a single pfSense firewall at Office 1? If so, how should I properly set it up? Much thanks for all the help!!!

    1 Reply Last reply Reply Quote 0
    • M
      marvosa
      last edited by marvosa Dec 6, 2018, 3:10 AM Dec 5, 2018, 9:06 PM

      The short answer is yes. You would just create two tunnels @ office 1 (one for office 2, one for office 3). However, all of the subnets need to be unique across all sites, so you'll have to change the VLAN 1 subnet at either office 2 or office 3.

      At office 1, you'd control inter-vlan access thru firewall rules.

      As far as office 3 accessing VLAN 2 on office 1, from what I remember about IPsec tunnels, what's allowed thru the tunnel is explicit on both sides. So, it will only allow what you configure to be allowed. Worst case, you could configure a firewall rule as a failsafe, but there should be an implicit deny to everything that isn't configured to be allowed thru the tunnel.

      1 Reply Last reply Reply Quote 0
      • M
        mikee
        last edited by Dec 9, 2018, 10:45 AM

        Or, if you can't change the IP addressing of the offices, use binat translation on your tunnels.

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Dec 9, 2018, 11:55 PM

          Interesting. It may not actually be a problem since although you have the same remote subnet at offices 2 and 3 the local subnet for each policy will be different at Office . Thus no policy conflict, traffic can only match one SPD.

          However you could not have a tunnel between offices 2 and 3 nor reach those by going through office 1. Without NAT somewhere at least.

          Steve

          J 1 Reply Last reply Dec 10, 2018, 2:52 AM Reply Quote 0
          • J
            JKnott @stephenw10
            last edited by Dec 10, 2018, 2:52 AM

            @stephenw10 said in Complex Routing Question:

            Interesting. It may not actually be a problem since although you have the same remote subnet at offices 2 and 3 the local subnet for each policy will be different at Office . Thus no policy conflict, traffic can only match one SPD.

            However you could not have a tunnel between offices 2 and 3 nor reach those by going through office 1. Without NAT somewhere at least.

            Given both Office 2 & 3 have the same subnet, how would Office 1 know which one to send traffic to? Put 2 & 3 on different subnets.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • S
              stephenw10 Netgate Administrator
              last edited by Dec 10, 2018, 3:08 AM

              Because in IPSec the tunnel is policy based (unless you use VTI) so the source and destination have to match. Here each subnet at office 1 goes to a different remote office so it can only ever match one policy.

              I agree it would be better to have unique subnets everywhere.

              Steve

              1 Reply Last reply Reply Quote 0
              • T
                TheQuank
                last edited by Dec 10, 2018, 8:30 PM

                Thanks for all the replies! I'm unable to change the subnets. Are there set of instructions I could follow to setup VTI or binat? I quick look of Google yields much discussion, but not much implementation. Thanks!!!

                1 Reply Last reply Reply Quote 0
                • S
                  stephenw10 Netgate Administrator
                  last edited by Dec 10, 2018, 9:53 PM

                  You probably don't want VTI here. That would then be routed which would mean you'd need to NAT and you can't NAT on VTI.

                  Have you tried setting this up with normal policy based IPSec? What was the result?

                  If you need to NAT the traffic that is covered here:
                  https://www.netgate.com/docs/pfsense/book/ipsec/choosing-configuration-options.html#nat-binat-translation

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • T
                    TheQuank
                    last edited by Dec 11, 2018, 12:25 AM

                    Actually, surprisingly it seems to all be working with just the phase 2 networks set correctly.

                    1 Reply Last reply Reply Quote 0
                    • S
                      stephenw10 Netgate Administrator
                      last edited by Dec 11, 2018, 3:33 AM

                      Nice. I expected that to work but I could also easily imagine something unexpected getting in the way.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      1 out of 10
                      • First post
                        1/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received