Multiple WAN issue with IPSec VTI + FRR


  • Hi,

    I have pfsense box setup with 1 LAN (172.16.4.0/24) and 2 WAN.

    I has use 1 WAN for setup 2 IPSec connection to AWS VPN, and configure as VTI. BGP setting using FRR, all working fine:

    0_1547532160658_sg4860_vn_-_VPN__IPsec__Tunnels.png

    0_1547532265733_Banners_and_Alerts_and_sg4860_vn_-_Services__FRR__Status__BGP.png

    And the ping to AWS IP is working in pfsense box:
    0_1547532362749_sg4860_vn_-_Diagnostics__Ping.png

    Also working on my computer:
    0_1547532392835_1__sanglt_Sangs-iMac_____zsh_.png

    The problem just came after I update the Firewall Rules for LAN from Default into MultipleWAN Gateway. I can only ping from pfsense box to AWS, but the dynamic routing doesn't apply to other computer inside LAN.

    How to get the benefit of VTI and MultipleWAN Gateway working? I can setup P2 rules and get its working, but its hard to maintain and since I use the VPN from Transit Gateway, with more and more account added into TGW, its very hard to add P2 rules.

    Thanks,


  • In case anyone stumbles across this. The solution is to create a rule on the LAN interface that uses the "default" gateway for packets headed toward subnets that live on the other side of the VTI tunnels. This new rule needs to be higher in the list than the rule that you create which redirects incoming packets to a gateway group.