Multiple LAN's + VPN and Static Routes
I've made a testing configuration on a pfsese box 1.2.2 with one wan interface and two lan interfaces. One of the lan (10.60.1.3/24) is the servers lan (only servers and other equipment) and the other lan is for office users (192.168.1.1/24). Also, i've set up a vpn server on the pfsense box (pptp), using the 172.16.237.96/28 subnet.
We are also accessing other networks through ip addresses on the lan side, for exemple we are accessing 10.0.0.0/8 through 10.60.1.7, 10.241.0.0/16 through 10.60.1.1 and 192.168.0.0/16 through 10.60.1.2 and some others.
I've found out that it is required to set up a interface for the static route rule on the pfsense, and as normal, the static route is only working for things coming from that interface - I've set it up for the backbone interface and i can only ping those networks from the servers, not from offices. When i tried to add the same static route for other interfaces, pfsense told me that the destination is already defined. Also, i didn't find out where to set up the metric for the route, because there is need for static routes that overlaps other subnets defined (for example 10.241.0.0/16 which overlaps 10.0.0.0/8)
These are my problems, we are using now a zyxel zywall 35 utm with dmz (servers) and lan (office users) which is working fine with these static routes:
10.11.11.0/24 through 10.60.1.9, metric 10
10.241.0.0/16 through 10.60.1.1 metric 10
10.0.0.0/8 through 10.60.1.7, metric 20
192.168.0.0/22 through 10.60.1.4 metric 10
192.168.0.0/16 through 10.60.1.2 metric 20
Please, help me if you can…
Site A (pfsense 1.2.3)
SITE B (pfsense 1.2.3)
IPSEC TUNNEL from SITE A to SITE B
Rules on IPSEC = all permitted
rules on OPT1 = all permitted
from site B if I try a tracert to a SITE A LAN it's OK (site B gw, site A gw, host)
from site B if I try a tracert to a SITE A OPT1 (192.168.40.x) it's KO (site B gw, WAN gw, somewhere in internet, KO)
do you have any idea?
I didn't really read the original post but IPSec does not follow the route table. You'll need a second tunnel set between site B and Site A using the OPT1 subnet.
Or use OpenVPN in shared-key mode for the site-to-site tunnel and route whatever you want using its custom options (it does obey the routing table)