IPSec Blocked - Multiple PF on one LAN

  • Hi all,

    I know this sounds ridiculous, but bear with me. We have two PFSense boxes (it's a hold over from another time), with one of those boxes meant to be handling an IPSec site-to-site (not my doing). It was originally set up to be like this:

    Router > Internet switch > Cisco ASA into PFsense IPSEC > domain

    Now, as we've put in a new PF (for everything else) it's:

    Modem PPPoE Passthrough > PFsense > Cisco ASA (OPT3) > Pfsense > domain

    This is actually only the case for the single machine we need to site-to-site. All other devices on the domain use our new PF box as the default gateway. It used to be that the IPSec PF just needed internet access to function, but now with the addition of the other PF box (for general purpose) it's unable to connect.

    I know this is stupid, and not at all good practice. It would be best to have the new PF handle this IPSec, but we don't want everything on our domain running through it, only really on one machine.

    What can I do here? Is there some rule configuration I would need in order to pass through that sort of traffic? Feel free to tell me this just won't work, I fully expect it.

  • Just thought I'd add something interesting, and clarify maybe.

    When I put things back how they were, the tunnel works. When I run the IPSec firewall through the other firewall, the system using the IPSec one gets full internet access, and the tunnel doesn't function.

    I suppose the question is how do you tunnel while sat behind a firewall? If it's even feasible, I've done some research around NAT and things, but it's a bit beyond me (I'm used to just standard firewalling, not this level of complication).

  • Issue solved in the end. Solution was to route WAN out on OPT1 (internet access) and add rules to allow only tunnel traffic via the IPSec wall.

Log in to reply