• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSec vlan firewall rules

General pfSense Questions
2
4
471
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    voxel
    last edited by Apr 14, 2023, 9:58 PM

    I have three sites, A, B and C where B and C are connected to A using ipsec vti.
    Each site has a 10.0.0.0/16 subnet and all vlans have /24 subnets with matching id, for example 10.10.10.0/24 for site A and vlan id 10.
    Site A is the "hub" and has all the firewall rules in place for each vlan interface.

    Is there any way I can avoid re-writing all the firewall rules for the incoming ipsec traffic with matching vlan subnets?
    Can I route the ipsec traffic of a specific source (10.20.10.0/24) to an existing vlan interface (10.10.10.0/24) to use the same outgoing rules?

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Apr 14, 2023, 10:56 PM

      Might need a diagram here.

      What rules do you think you will need to re-write and why?
      You have just added those VLANs?

      You can policy route traffic on the IPSec firewall rules. Unclear exactly what you're trying to achieve.

      Steve

      V 1 Reply Last reply Apr 15, 2023, 12:14 AM Reply Quote 1
      • V
        voxel @stephenw10
        last edited by Apr 15, 2023, 12:14 AM

        @stephenw10
        No problem, I'll try and write a better example. Please note that in reality there are more than 2 sites and more than 2 vlan's/subnet's at each site. I know VLAN tags don't traverse the ipsec tunnel. I just use them below as subnet identifiers.

        Site A (10.10.0.0/16)
        On site A all my clients are on VLAN 20 (10.10.20.0/24) and what ever resources they need on VLAN 10 (10.10.10.0/24).
        Only certain ports are open to VLAN 10 from VLAN 20.

        Site B (10.20.0.0/16)
        On site B all my clients are also on VLAN 20 (10.20.20.0/24) and they connect to site A through an IPSec VTI tunnel.
        They are the same type of clients as on site A and need access to the same resources on site A's VLAN 10.

        In order to allow them access I should (if i'm not mistaken) add pass rules for the specific ports to the site A firewall under the ipsec tab with source 10.20.20.0/24 and destination 10.10.10.0/24.

        The issue
        Everything is working so that's not the issue. My problem is that i don't want to manage firewall settings on site A for both the VLAN 20 interface and the site B VLAN 20 traffic on the IPSEC tab.
        I want 1 firewall rule that handles both.

        Guessing now that this could be handled with floating rules instead of interface rules on site A?
        For example, a floating pass rule on site A for interface VLAN 20 and IPSEC with source alias of all subnets at each site that are considered "vlan 20".

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by stephenw10 Apr 15, 2023, 12:41 AM Apr 15, 2023, 12:40 AM

          You could do this using an alias with all the client subnets in it and then use that as the source in the firewall rule at site A on the IPSec tab.
          That wouldn't filter clients that are at site A that don't use tunnel so you'd still need a rule on the client VLAN there directly.
          Or as you say you could put that rule as floating outbound on the resources VLAN at site A.

          1 Reply Last reply Reply Quote 1
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.