Multiple VTI Policy Based Routing
-
Hi
I am having some issues with a complicated setup. I currently have a pfSense running on AWS with the purpose of managing a hub and spoke configuration of a number of customer networks.
My intention is to have a number of VTI interfaces. One for each customer who requires access to our network. Our network covers the 10.0.0.0/8 range. Customer are on 192.168.0.0/16 and 172.16.0.0/12 ranges.
Each of our customers are assigned a range of the 10.0.0.0/8 subnet which they can access. For example we may issue one customer who is on 192.168.0.0/24 to the 10.0.0.0/24 range of address they can access.
We have configured rules for the IPSEC Interface to cover our VTIs such that anything from 10.0.0.0/24 will be routed via the gateway created for the VTI connected to 192.168.0.0/24 and another rule saying anything from 192.168.0.0/24 to 10.0.0.0/24 will be routed via the VTI gateway for 10.0.0.0/24. We have a final rule blocking all other traffic outside of the allowed ranges.
This works well but we have now come up against an issue. A second customer of ours wants to use an existing range to connect to our firewall. We have issued a new subnet for them for our internal network on 10.0.1.0/24 but their network is 192.168.0.0/24 also.
I initially thought this would not be an issue as we are policy routing via a VTI. I set up a new VTI and gateway to their network and set the rules saying anything from 10.0.1.0/24 to 192.168.0.0/24 will be sent via the new gateway and anything from 192.168.0.0/24 to 10.0.1.0/24 will be sent via the our gateway.
The problem I am now seeing is that we appear to also have to add static routes to the subnet range 192.168.0.0/24 to the gateway otherwise a ping will not get a response. As we are now connected to 2 networks both on 192.168.0.0/24 obviously we can't use static routing to do this.
Is it possible to configure pfSense to use just policy based routing on the VTI interfaces and not need the corresponding static route for the replies? The customer is not able or willing to change the subnet they have picked.
Hopefully that all makes sense