PFSense Help Site to Site Tunnel Routing



  • Site A is Main Office

    Site B is Satellite Office

    Both sites running latest version of PFSense.

    IPsec Site to site bridge in place.

    Customer has white listed external IP of Site A for access to supported equipment. I would like to route all traffic bound for Customer.Domain.Com from Site B through tunnel and out to customer from Site A. If i called the Customer they would just add Site B's ip address to their white list, but I would like to learn correct way to selectively route traffic like this. Is this a new Phase 2 for the VPN? A firewall rule? etc.

    Any help would be appreciated.


  • Netgate Administrator

    Routing by FQDN like that can be a problem if the it resolves to many IP addresses. If not that will work in an alias.

    Yes, for policy based IPSec, add a new P2 to carry that traffic and a new outbound NAT rule at Site A to NAT it to the whitelisted IP.

    For actually routing the traffic you would need to use either route based IPSec (VTI) or OpenVPN. That is more flexible, opens up a lot more options.

    Steve



  • You're saying Open VPN is more flexible?


  • Netgate Administrator

    It is, you can route whatever traffic you want over it by applying policy routing firewall rules and only need make chnages at one end for example.
    You can also do that with route based IPSec and that is generally faster than OpenVPN but there are some caveats currently:
    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html#caveats

    In your particular case you policy based IPSec will probably work fine as you have a fixed external destination IP and can control both ends of the tunnel. So you can add a new P2 and that P2 can be closely defined, exact subnets only.

    Steve



  • @stephenw10
    So I have been fiddling with this for a bit and am getting no where.
    Site A 10.1.x.x/16----<--IPSec VPN-->----Site B 10.2.x.x/16 Everything Works
    Desired Result:
    Site B 10.2.x.x/16----<--IPSec VPN-->----Site A 10.1.x.x/16--->internet/No VPN---->Site C 169.x.x.x/23
    Current Situation:
    Site B 10.2.x.x/16----<--IPSec VPN-->----Site A 10.1.x.x/16
    Site B 10.2.x.x/16--->internet/No VPN---->Site C 169.x.x.x/23
    When I add a Phase 2 for Site C 169.x.x.x/23 to Site B firewall I can no longer reach Site C at all.



  • @stephenw10
    Is that Outbound Nat Rule on the Phase 2 at site A or just on the LAN?


  • Netgate Administrator

    The outbound NAT rule would be on the WAN at site A with source 10.2.0.0/16. So that traffic from site B can be NAT'd to the site A public IP in order to reach the site C public subnet.

    Steve


Log in to reply