Multiple LAN's + VPN and Static Routes



  • Hello everyone,

    I've made a testing configuration on a pfsese box 1.2.2 with one wan interface and two lan interfaces. One of the lan (10.60.1.3/24) is the servers lan (only servers and other equipment) and the other lan is for office users (192.168.1.1/24). Also, i've set up a vpn server on the pfsense box (pptp), using the 172.16.237.96/28 subnet.
    We are also accessing other networks through ip addresses on the lan side, for exemple we are accessing 10.0.0.0/8 through 10.60.1.7, 10.241.0.0/16 through 10.60.1.1 and 192.168.0.0/16 through 10.60.1.2 and some others.

    I've found out that it is required to set up a interface for the static route rule on the pfsense, and as normal, the static route is only working for things coming from that interface - I've set it up for the backbone interface and i can only ping those networks from the servers, not from offices. When i tried to add the same static route for other interfaces, pfsense told me that the destination is already defined. Also, i didn't find out where to set up the metric for the route, because there is need for static routes that overlaps other subnets defined (for example 10.241.0.0/16 which overlaps 10.0.0.0/8)

    These are my problems, we are using now a zyxel zywall 35 utm with dmz (servers) and lan (office users) which is working fine with these static routes:

    10.11.11.0/24 through 10.60.1.9, metric 10
    10.241.0.0/16 through 10.60.1.1 metric 10
    10.0.0.0/8 through 10.60.1.7, metric 20
    192.168.0.0/22 through 10.60.1.4 metric 10
    192.168.0.0/16 through 10.60.1.2 metric 20

    Please, help me if you can…
    Thank you!



  • Same problem..

    Site A (pfsense 1.2.3)
    LAN 192.168.1.x
    OPT1 192.168.40.x

    SITE B (pfsense 1.2.3)
    LAN 192.168.2.x

    IPSEC TUNNEL from SITE A to SITE B
    Rules on IPSEC = all permitted
    rules on OPT1 = all permitted

    from site B if I try a tracert to a SITE A LAN it's OK (site B gw, site A gw, host)
    from site B if I try a tracert to a SITE A OPT1 (192.168.40.x) it's KO (site B gw, WAN gw, somewhere in internet, KO)

    do you have any idea?



  • I didn't really read the original post but IPSec does not follow the route table. You'll need a second tunnel set between site B and Site A using the OPT1 subnet.


  • Rebel Alliance Developer Netgate

    Or use OpenVPN in shared-key mode for the site-to-site tunnel and route whatever you want using its custom options (it does obey the routing table)


Locked