Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Appropiate return route for tunneled gateway

    Scheduled Pinned Locked Moved
    Routing and Multi WAN
    1
    1
    48
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • senseivitaS
      senseivita
      last edited by

      To workaround te lack of available static IP addresses at my ISP I tunnel-in a static IP address from a cloud hosting provider, basically 1:1 NAT over a tunnel. I just need the static entry point and from there I can swissarmyknife the rest with pfSense.

      Using wildcard I point all traffic to a single, preferably static point, like a VPS' included address, most not technically static but as long as you hold the VPS, it's as good as static. :)

      vpn-gateway.png

      I've set up using three different tunneling techniques/technologies. Last week after reading some posts on the IPsec section and talking this out with somebody I decided to switch from my last working setup, OpenVPN tap + double NAT (full cone but still) to routed IPsec which I tried before but couldn't make something work. It was also the first time routed IPsec was on pfSense, though.

      I created the tunnel and got very good sub-20ms latency and stable, that's from the Gateways Dashboard widget. As remote test endpoints I used virtual IPs on each end since the tunnel IP endpoints cannot be used, and, this is where trouble begins, unlike the last time with OpenVPN where it more like client-server approach, routed IPsec is a transit network where the endpoints aren't usable, only what's beyond those. Creating static routes is confusing.

      From the cloud firewall it's easy, in my case the class A intranet range covers it, but the return path not a clue since I now have 2x 0.0.0.0/0 routes, one local-one remote. The other options are the "unusable" tunnel itself, and the dummy remote network, a /24 subnet I added in the beginning to ping something. If something could be worked out with virtual IP then maybe but I wouldn't know where to begin; TBH, each of the times I've managed to set this up has not been on purpose.

      vpn-gateway2.png

      I've set dual default routes before but I've worked around it by adding a second NIC, multi-homing the host. Also, none of these was tunneled, they were different local exits. I also considered using OSPF but if I can't handle static routes as it is. 😅

      Any spare tips? Completely different approaches are welcome too. 😄 🧨

      Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post