Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question - Routing Internet for single subnet without routing everything (including Kitchen sink)

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 304 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      ForrestExplorer
      last edited by

      Hello everyone,
      I am trying to find an answer to this one situation I am running into and I am not quite sure how to proceed. So what I am trying to do is route a single subnet 172.16.54.0/24 which is the Guest Wifi at my mom's house. Since my father passed away mom has been having to rely on repair techs in repairing things around the house. A few times they needed to look up part numbers on the internet. So instead of giving them full access I want to have them sign on the Guest Wifi. However I don't want to give them total free reign. At my house I have a Fortigate 60F and Mom has a PFSense Router I built for her.

      So I want to take 172.16.54.0/24 router it over an IPsec tunnel to my Fortigate and route it out to the internet passing it through a web filter. What the issue I am running into no matter how much I try to use 0.0.0.0/0 as remote subnet on the phase 2, it captures all the traffic on all the subnets which virtual locks me out of the router. I have to go back in through the console and undo it so I can get back in. Tonight I accidentally locked myself again trying to add IPsec bypass rules which I think I can fix once Mom wakes up and able to boot her machine. It's been frustrating but I know it can be done because I've seen it done before when at my last company we did this for customers all the time. However I was always on the Fortigate end so I never got to see the PFSense end.

      I was wondering if you guys had any ideas how I can accomplish this? I appreciate any information you can throw at me. I also attached a diagram of what I am trying to accomplish.

      Guest Wifi Diagram:
      Guest_Wifi_Diagram.png

      Thank you,
      ForrestExplorer

      1 Reply Last reply Reply Quote 0
      • F
        ForrestExplorer
        last edited by

        I FIGURED IT OUT!

        Here is what I had to do, before I built the phase 2.

        On IPSEC Firewall Rules.

        I created the following rules:

        Source: MY_Network --- Destination: MOMs_Network
Source: MOMs_Network --- My_Network
 
Source: *(ANY)  Destination: *(ANY) <--- Disabled 

Source: Guest_Network Destination: Any 
Source: Any Destination: Guest_Network

        Once that was done I was able to create a phase to allowing:

        Source: Guest Network Remote Network: 0.0.0.0/0

        I confirmed with mom her internet is still up, I can still access PFSense remotely and the Guest Wifi is not routing through my internet.

        I just wanted updated so if anyone else runs into the same issue this will give them the direction to go in.

        :) ~ ForrestExplorer~

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.