Site to site vpn would like to route all traffice from one device and force acrosss vpn
-
I've googled around on this one, found some info, but can't seem to get this to work.
Pfsense version is 2.4.4.4.
I've got a IPSec vpn between 2 sites. Site A is 192.168.0.0 site B is 172.16.1.0 (operational)
I'd to route all packets coming from a Site A computer (192.168.0.20) across the ipsec vpn to site B.
I found a set of instructions that had me setting up a "route", but it made reference to a gateway that in my setup didn't exist.
Seems like I have to establish a "gateway" to set up a route to push all the traffic from the one ip address to the vpn. I tried doing that but it kept telling me that the range was not in any of hte defined networks. I was setting up the gateway on Site A firewall giving it the site B subnet.
Anyone have a method to do this bit of routing/forwarding? I am by no means an expert with pfsense but I can usually get things to work with a little help. Thanks.
Roveer
Followed some guides but can't seem to get a "Gatewway" configured to complete the route
-
@roveer
I guess, you have set up a policy-based IPSec.
If so you have to configure the routing in the phase 2 (policy).So add site A add a phase 2 with
local: 192.168.0.20/32
remote: 0.0.0.0/0and at B with swapped networks.
Move this p2 up to the top of the rule set.
At B you have also to add an outbound NAT rule to WAN for 192.168.0.20/32.
-
This post is deleted! -
This post is deleted! -
@viragomann said in Site to site vpn would like to route all traffice from one device and force acrosss vpn:
@roveer
I guess, you have set up a policy-based IPSec.
If so you have to configure the routing in the phase 2 (policy).So add site A add a phase 2 with
local: 192.168.0.20/32
remote: 0.0.0.0/0and at B with swapped networks.
Move this p2 up to the top of the rule set.
At B you have also to add an outbound NAT rule to WAN for 192.168.0.20/32.
So I tried your steps. Worked, kind-of...
It did re-route the ip .20 across the vpn. I was able to confirm using traffic graphs and speed test and an app that required it to be on the network at Site B. So in theory it worked just as it should. BUT....
For whatever reason that I don't understand at this time it knocked my laptop off of wifi. Neither the laptop or the wifi equipment had a .20 address (which would have been duplicate). Wired connections to the 192 network kept working just fine. I rechecked everything (P2's and rules) and they were all correct. As soon as I enable the Site A P2 it would crap out the wifi, as soon as I would disable the P2 wifi would reconnect on my laptop. Very strange.
I made sure all my settings were "network" 192.168.0.20 and /32. Is it possible that my firewall at Site A (running 2.4.4.4) doesn't support such addressing in P2's? Eventually I'll upgrade this FW to latest.
This isn't critical, just more of a science project. It did work, it just broke other stuff.
Interesting side note. I asked Chat GPT the same question as I posed here (worded differently) and it provided the exact same instructions with even more detail. Pretty amazing.
Roveer
-
@roveer said in Site to site vpn would like to route all traffice from one device and force acrosss vpn:
I made sure all my settings were "network" 192.168.0.20 and /32. Is it possible that my firewall at Site A (running 2.4.4.4) doesn't support such addressing in P2's? Eventually I'll upgrade this FW to latest.
Updating pfSense is a good idea anyway.
In newer versions you can select "address" in the p2 for a single address. I think, that's not possible in 2.4.4, so "network" with a /32 mask would be the proper setting.
Also some devices do not accept overlapping IPSec p2 networks. But current pfSense versions do.
-
@viragomann said in Site to site vpn would like to route all traffice from one device and force acrosss vpn:
@roveer said in Site to site vpn would like to route all traffice from one device and force acrosss vpn:
I made sure all my settings were "network" 192.168.0.20 and /32. Is it possible that my firewall at Site A (running 2.4.4.4) doesn't support such addressing in P2's? Eventually I'll upgrade this FW to latest.
Updating pfSense is a good idea anyway.
In newer versions you can select "address" in the p2 for a single address. I think, that's not possible in 2.4.4, so "network" with a /32 mask would be the proper setting.
Also some devices do not accept overlapping IPSec p2 networks. But current pfSense versions do.
Will definetly update. I've got another exact match hardware box so I can easily implement newer pfsense at Site A. I noticed many of the differences between versions. Some as simple as moving the description box to a different location, others that had different pulldown options. I was starting to think that the older version wasn't limiting the forwarding of the single ip address. When I fired it up I immediatly started seeing addition VPN traffic in the graph. Hopefully latest same/same versioning will allow this to work.
I'll report back as I like to close the loop on these little projects in hope that it helps someone in the future.
Roveer