Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question about selective forced tunneling via IPSec connection

    IPsec
    1
    1
    143
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      johnmen
      last edited by

      Hi there,

      I have a requirement to selectively route Internet-bound traffic from certain hosts on branch's LAN across a site-to-site IPSec connection to head quarter's Internet connection. Effectively certain hosts on branch network should be seen by public web servers as if they came from head quarter Internet connection. This is required due to some IP whitelisting set by our partner web server which only accepts traffic coming from head quarter's Internet connection.

      Both sites use pfSense firewall. The current site-to-site IPSec connection is policy based (mode = tunnel IPv4). Currently there is only one P2 that references branch and head quarter LAN networks.

      I have tried adding additional P2 to the same P1, referencing the specific IP address of the host that needs to go out to the Internet via head quarter's Internet connection via IPSec connection. The P2 works, it connects fine, and the host's Internet traffic does get routed correctly through IPSec connection. However, this additional P2 affected the existing P2, all other hosts on branch LAN lost their Internet connection as the result of adding this P2.

      I think it makes sense since the existing P2 overlaps the specific IP referenced by the 2nd P2. When multiple P2s referencing network addresses that are partially overlapped, I guess it is reasonable to see unpredictable behaviour.

      I then moved on segmenting branch office LAN network into smaller subnets (from 1 x /24 to 4 x /26), placing selected hosts into a separate subnet than the rest, then remove all P2s and created new P2s that each references different new smaller subnet as local network. The P2 that forces Internet traffic for selected hosts via IPSec connection uses 0.0.0.0/0 as the remote network, all of the rest P2s are using head quarter's network as the remote network.

      However, with new P2s covering non-overlapping local networks, the result is still the same, selected hosts can access the Internet via IPSec connection using head quarter's Internet connection, the rest lost Internet connectivity all together!

      Can someone let me know how policy-based IPSec P2s can be used for selective forced tunneling?

      I didn't mention it but I needed to add outbound NAT rule at head quarter's firewall for branch office's LAN for the selected hosts to be able to browse the Internet. Guess that is irrelevant in this discussion. Also pfSense version is 2.7.2. both ends.

      Regards.
      Johnmen

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.