Complex Routing Question



  • Howdy! I have a complex routing issue I'm hoping you all could help me configure. Here is the setup I need:

    Office 1
    VLAN 1
    -IP Range 192.168.5.0/24
    -IPSec VPN to VLAN 1 @ Office 2

    VLAN 2
    -IP Rage 10.50.0.0/24
    -IPSec VPN to VLAN 1 @ Office 3

    VLAN 1 & 2 and their respective IPSec VPN tunnels should be isolated and not route traffic between them.

    Office 2
    VLAN 1
    -IP Range 192.168.2.0/24
    -IPSec VPN to VLAN 1 @ Office 1

    Office 3
    VLAN 1
    -IP Range 192.168.2.0/24
    -IPSec VPN to VLAN 2 @ Office 1

    Can this be done with a single pfSense firewall at Office 1? If so, how should I properly set it up? Much thanks for all the help!!!



  • The short answer is yes. You would just create two tunnels @ office 1 (one for office 2, one for office 3). However, all of the subnets need to be unique across all sites, so you'll have to change the VLAN 1 subnet at either office 2 or office 3.

    At office 1, you'd control inter-vlan access thru firewall rules.

    As far as office 3 accessing VLAN 2 on office 1, from what I remember about IPsec tunnels, what's allowed thru the tunnel is explicit on both sides. So, it will only allow what you configure to be allowed. Worst case, you could configure a firewall rule as a failsafe, but there should be an implicit deny to everything that isn't configured to be allowed thru the tunnel.



  • Or, if you can't change the IP addressing of the offices, use binat translation on your tunnels.


  • Netgate Administrator

    Interesting. It may not actually be a problem since although you have the same remote subnet at offices 2 and 3 the local subnet for each policy will be different at Office . Thus no policy conflict, traffic can only match one SPD.

    However you could not have a tunnel between offices 2 and 3 nor reach those by going through office 1. Without NAT somewhere at least.

    Steve



  • @stephenw10 said in Complex Routing Question:

    Interesting. It may not actually be a problem since although you have the same remote subnet at offices 2 and 3 the local subnet for each policy will be different at Office . Thus no policy conflict, traffic can only match one SPD.

    However you could not have a tunnel between offices 2 and 3 nor reach those by going through office 1. Without NAT somewhere at least.

    Given both Office 2 & 3 have the same subnet, how would Office 1 know which one to send traffic to? Put 2 & 3 on different subnets.


  • Netgate Administrator

    Because in IPSec the tunnel is policy based (unless you use VTI) so the source and destination have to match. Here each subnet at office 1 goes to a different remote office so it can only ever match one policy.

    I agree it would be better to have unique subnets everywhere.

    Steve



  • Thanks for all the replies! I'm unable to change the subnets. Are there set of instructions I could follow to setup VTI or binat? I quick look of Google yields much discussion, but not much implementation. Thanks!!!


  • Netgate Administrator

    You probably don't want VTI here. That would then be routed which would mean you'd need to NAT and you can't NAT on VTI.

    Have you tried setting this up with normal policy based IPSec? What was the result?

    If you need to NAT the traffic that is covered here:
    https://www.netgate.com/docs/pfsense/book/ipsec/choosing-configuration-options.html#nat-binat-translation

    Steve



  • Actually, surprisingly it seems to all be working with just the phase 2 networks set correctly.


  • Netgate Administrator

    Nice. I expected that to work but I could also easily imagine something unexpected getting in the way.

    Steve


Log in to reply