Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense/ESXi route all VM via GRE TUNNEL

    Scheduled Pinned Locked Moved General pfSense Questions
    19 Posts 3 Posters 491 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      IIMKIIVG
      last edited by

      Hello everyone!

      I was planning to route my specific ESXi VM traffic via different IP from different provider.
      Heard that it's possible to do that via GRE Tunnel, But did not found any tutorial on how to do that.

      I have purchased a low cost vps and wants to use that low-cost-vps IP for OVH ESXi VM via GRE TUNNEL.

      If anyone here has idea or any tutorial link please feel free to share or post.

      Thanks

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        You plan to run pfSense locally in front of the VM and remotely in OVH?

        You can certainly policy route traffic from an internal IP across a tunnel. As long as that tunnel can be routed, so OpenVPN, IPSec VTI mode, Wireguard, GRE etc.

        I 3 Replies Last reply Reply Quote 0
        • I
          IIMKIIVG @stephenw10
          last edited by

          @stephenw10
          Hi,

          pfsense is installed as a VM in ESXi.

          Any good nice tutorial possible?

          1 Reply Last reply Reply Quote 0
          • I
            IIMKIIVG @stephenw10
            last edited by

            @stephenw10

            Thanks,
            It was simple. I activated it as default gateway and all my VMs are getting routed via gre tunnel, That's perfect now.

            patient0P 1 Reply Last reply Reply Quote 1
            • patient0P
              patient0 @IIMKIIVG
              last edited by

              @IIMKIIVG said in pfSense/ESXi route all VM via GRE TUNNEL:

              It was simple. I activated it as default gateway and all my VMs are getting routed via gre tunnel, That's perfect now.

              Just so you are aware, a GRE tunnel is not encrypted. If you tunnel across the internet, GRE+IPSec would be a solution.

              I 1 Reply Last reply Reply Quote 0
              • I
                IIMKIIVG @patient0
                last edited by

                @patient0

                How does it affect in what manners?
                I have zero knowledge about this. if you can explain in detail then it will help me.

                Thanks

                1 Reply Last reply Reply Quote 0
                • I
                  IIMKIIVG @stephenw10
                  last edited by

                  @stephenw10

                  Hi,

                  I have got it working by setting that gre tunnel as default gateway. But the problem is all the VMs are routing via that gre tunnel.

                  I wants to route specific VM only with that gre tunnel, Is that possible?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Yes, you need to policy route that specific VM by using a firewall rule with just that VM IP as the source. Then set the gateway there.

                    Yes, GRE is not encrypted so anything in the route could see the traffic. That often wouldn't matter. If it's https traffic that's encrypted anyway for example.

                    I 1 Reply Last reply Reply Quote 0
                    • I
                      IIMKIIVG @stephenw10
                      last edited by

                      @stephenw10

                      I did it already and it doesn't changes the VM IP.
                      But when I set the gre tunnel as default gateway it changes all VMs IP.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Then the rule is not catching the traffic. It has to be in the LAN side ruleset before any other pass rules you might have there.

                        I 2 Replies Last reply Reply Quote 0
                        • I
                          IIMKIIVG @stephenw10
                          last edited by

                          @stephenw10

                          Yeah it's on LAN side and on top. First rule. Still doesn't changes VM IP.

                          1 Reply Last reply Reply Quote 0
                          • I
                            IIMKIIVG @stephenw10
                            last edited by

                            @stephenw10

                            alt text

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              That should certainly do it. You can see the rule has states and bytes on it.

                              How are you testing?

                              I 1 Reply Last reply Reply Quote 0
                              • I
                                IIMKIIVG @stephenw10
                                last edited by

                                @stephenw10

                                Yeah that's what I was wondering, But on my windows VM still shows default gateway IP. Not the gre tunnel ip.

                                Even restarted my VM.

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Where does it show it? How are you testing?

                                  You may need to clear any existing states. Traffic that was already passing would not be cleared.

                                  I 2 Replies Last reply Reply Quote 0
                                  • I
                                    IIMKIIVG @stephenw10
                                    last edited by

                                    @stephenw10

                                    Speedtest.net
                                    whatismyip.com
                                    whatismyipaddress.com
                                    dnsleaktest.com

                                    all shows the deafult gateway IP.
                                    All the rules are cleared except RDP one.

                                    1 Reply Last reply Reply Quote 0
                                    • I
                                      IIMKIIVG @stephenw10
                                      last edited by

                                      @stephenw10

                                      Cleared all the existing states as well.
                                      Is that firewall bug?

                                      Using version:
                                      2.7.2-RELEASE (amd64)

                                      Please let me know.

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        Do you have any floating rules?

                                        Is the OPT1_TUNNEL gateway up?

                                        Try checking Diag > States for states from 192.168.1.11.

                                        I 1 Reply Last reply Reply Quote 0
                                        • I
                                          IIMKIIVG @stephenw10
                                          last edited by

                                          @stephenw10

                                          oh my man, These silly mistakes is wasting my time.
                                          The gateway was being considered as offline, So I had to disable gateway monitoring. and it solved the problem.

                                          alt text

                                          Thank you so much

                                          1 Reply Last reply Reply Quote 1
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.