Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Blocked - Multiple PF on one LAN

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 425 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ArmstrongA
      Armstrong
      last edited by

      Hi all,

      I know this sounds ridiculous, but bear with me. We have two PFSense boxes (it's a hold over from another time), with one of those boxes meant to be handling an IPSec site-to-site (not my doing). It was originally set up to be like this:

      Router > Internet switch > Cisco ASA into PFsense IPSEC > domain

      Now, as we've put in a new PF (for everything else) it's:

      Modem PPPoE Passthrough > PFsense > Cisco ASA (OPT3) > Pfsense > domain

      This is actually only the case for the single machine we need to site-to-site. All other devices on the domain use our new PF box as the default gateway. It used to be that the IPSec PF just needed internet access to function, but now with the addition of the other PF box (for general purpose) it's unable to connect.

      I know this is stupid, and not at all good practice. It would be best to have the new PF handle this IPSec, but we don't want everything on our domain running through it, only really on one machine.

      What can I do here? Is there some rule configuration I would need in order to pass through that sort of traffic? Feel free to tell me this just won't work, I fully expect it.

      1 Reply Last reply Reply Quote 0
      • ArmstrongA
        Armstrong
        last edited by

        Just thought I'd add something interesting, and clarify maybe.

        When I put things back how they were, the tunnel works. When I run the IPSec firewall through the other firewall, the system using the IPSec one gets full internet access, and the tunnel doesn't function.

        I suppose the question is how do you tunnel while sat behind a firewall? If it's even feasible, I've done some research around NAT and things, but it's a bit beyond me (I'm used to just standard firewalling, not this level of complication).

        1 Reply Last reply Reply Quote 0
        • ArmstrongA
          Armstrong
          last edited by

          Issue solved in the end. Solution was to route WAN out on OPT1 (internet access) and add rules to allow only tunnel traffic via the IPSec wall.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.