Route all traffic from tunnel through specific LAN IP?



  • I've got two buildings connected via an IPSEC tunnel.  What I'd like to happen is for ALL of the traffic from my remote building to be routed across the IPSEC tunnel to a Network Guardian appliance on my LAN.  That device would then decide whether or not to allow the request and if it did, retrieve the data and then return it to the client on the other side of the tunnel.

    Can someone get me started on how I'd go about doing this?



  • @jasonlitka:

    I've got two buildings connected via an IPSEC tunnel.  What I'd like to happen is for ALL of the traffic from my remote building to be routed across the IPSEC tunnel to a Network Guardian appliance on my LAN.  That device would then decide whether or not to allow the request and if it did, retrieve the data and then return it to the client on the other side of the tunnel.

    Can someone get me started on how I'd go about doing this?

    Could you clarify definition 'ALL of the traffic' please?



  • Not really sure how to phrase it differently…  I've got a Network Guardian appliance (192.168.1.2) from SmoothWall attached to my primary LAN (192.168.1.x).  This box, rather than my pfSense box on that network (192.168.1.1), is used as the primary gateway for all of the network clients.  That box then relays traffic to pfSense which sends it out to the internet.

    I've got an IPSEC VPN tunnel between that office and a second (192.168.2.x).  What I want to do is not allow the clients on the second network to have any access outside their local network unless their traffic flows through the network guardian box first.  The traffic flow should look something like:

    Client on LAN #2 -> pfSense on LAN #2 -> IPSEC TUNNEL -> pfSense on LAN #1 -> NetGuardian on LAN #1 -> pfSense on LAN #1 -> Internet



  • If your "pfSense on LAN #2" is default gateway for LAN#2 then I would probably try the next.
    Setup tunnel 192.168.2.0/24 - 0.0.0.0/0 and on the pfSense#1 create Loadbalancer with only one member - your Netguardian device.
    Then on pfSense#1 in Rules->IPSEC create rule for all traffic from 192.168.2.0/24 to * to use this loadbalancer as a Gateway.
    Though not sure it will work.



  • I've tried something similar by setting the clients on LAN #2 to in be the same IP range as LAN #1, and by using pfSense #1 as their default gateway.

    It seemed to work but it was unusably slow for the network it was in so we scrapped it.



  • @Bern:

    I've tried something similar by setting the clients on LAN #2 to in be the same IP range as LAN #1, and by using pfSense #1 as their default gateway.

    It seemed to work but it was unusably slow for the network it was in so we scrapped it.

    I do not think it is possible to have the same network ranges on both ends of tunnel.



  • It was with OpenVPN, sorry.



  • @Eugene:

    If your "pfSense on LAN #2" is default gateway for LAN#2 then I would probably try the next.
    Setup tunnel 192.168.2.0/24 - 0.0.0.0/0 and on the pfSense#1 create Loadbalancer with only one member - your Netguardian device.
    Then on pfSense#1 in Rules->IPSEC create rule for all traffic from 192.168.2.0/24 to * to use this loadbalancer as a Gateway.
    Though not sure it will work.

    Interesting…  I think the first part will work but I'm not sure how to go about creating a load balancer pool for a specific IP.  When I try and create a gateway pool it only gives me the option of my local interfaces and when I select a server pool it forces me to pick a port.



  • You should use gateway/failover configuration. I do not know how pfSense choses interfaces to fill  drop-down list.
    You my wish to try to modify your config.xml just for testing ;-) For example I have in config:
    <load_balancer><lbpool><type>gateway</type>
    <behaviour>failover</behaviour>
    <monitorip>x.x.x.x</monitorip>
    <name>Internet</name>
    <desc><port><servers>wan|y.y.y.y</servers>
    <servers>opt1|x.x.x.x</servers></port></desc></lbpool></load_balancer>


Log in to reply