Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec vlan firewall rules

    General pfSense Questions
    2
    4
    435
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      voxel
      last edited by

      I have three sites, A, B and C where B and C are connected to A using ipsec vti.
      Each site has a 10.0.0.0/16 subnet and all vlans have /24 subnets with matching id, for example 10.10.10.0/24 for site A and vlan id 10.
      Site A is the "hub" and has all the firewall rules in place for each vlan interface.

      Is there any way I can avoid re-writing all the firewall rules for the incoming ipsec traffic with matching vlan subnets?
      Can I route the ipsec traffic of a specific source (10.20.10.0/24) to an existing vlan interface (10.10.10.0/24) to use the same outgoing rules?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Might need a diagram here.

        What rules do you think you will need to re-write and why?
        You have just added those VLANs?

        You can policy route traffic on the IPSec firewall rules. Unclear exactly what you're trying to achieve.

        Steve

        V 1 Reply Last reply Reply Quote 1
        • V
          voxel @stephenw10
          last edited by

          @stephenw10
          No problem, I'll try and write a better example. Please note that in reality there are more than 2 sites and more than 2 vlan's/subnet's at each site. I know VLAN tags don't traverse the ipsec tunnel. I just use them below as subnet identifiers.

          Site A (10.10.0.0/16)
          On site A all my clients are on VLAN 20 (10.10.20.0/24) and what ever resources they need on VLAN 10 (10.10.10.0/24).
          Only certain ports are open to VLAN 10 from VLAN 20.

          Site B (10.20.0.0/16)
          On site B all my clients are also on VLAN 20 (10.20.20.0/24) and they connect to site A through an IPSec VTI tunnel.
          They are the same type of clients as on site A and need access to the same resources on site A's VLAN 10.

          In order to allow them access I should (if i'm not mistaken) add pass rules for the specific ports to the site A firewall under the ipsec tab with source 10.20.20.0/24 and destination 10.10.10.0/24.

          The issue
          Everything is working so that's not the issue. My problem is that i don't want to manage firewall settings on site A for both the VLAN 20 interface and the site B VLAN 20 traffic on the IPSEC tab.
          I want 1 firewall rule that handles both.

          Guessing now that this could be handled with floating rules instead of interface rules on site A?
          For example, a floating pass rule on site A for interface VLAN 20 and IPSEC with source alias of all subnets at each site that are considered "vlan 20".

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by stephenw10

            You could do this using an alias with all the client subnets in it and then use that as the source in the firewall rule at site A on the IPSec tab.
            That wouldn't filter clients that are at site A that don't use tunnel so you'd still need a rule on the client VLAN there directly.
            Or as you say you could put that rule as floating outbound on the resources VLAN at site A.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.