Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC site-to-site: All traffic through tunnel including Internet?

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 7.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • valnarV
      valnar
      last edited by

      I am trying to create a site-to-site IPSEC tunnel with pfSense on one side and either a Sonicwall or Cisco IOS router on the head-end.  I've created the tunnels successfully both ways, but I can't get Internet traffic to go over the tunnel.  I don't want any user Internet traffic to originate from the pfSense WAN except the tunnel itself to the head-end VPN device.

      I can reach all internal resources just fine.  I use 0.0.0.0/0 as the tunnel definition on the pfSense side and the single class C (192.168.1.0 /24 for instance) on the head-end side pointing to the pfSense LAN.

      Whether the Cisco side is also the firewall to the Internet (hairpin), or whether I try to route internally to a different firewall, I can't get it to work right.  I'm sure I'm missing something obvious, but I can't find it.  The only thing that doesn't work is getting Internet traffic through the tunnel to the head-end.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You may need to make sure that whatever device is actually handling the NAT before that traffic reaches the Internet is set to apply NAT to the subnet coming across IPsec.

        On pfSense, in some scenarios you need to add an manual outbound NAT rule to ensure that traffic coming from VPN clients has NAT applied before it tries to exit WAN, but I'm not sure what that might translate to on the other end if pfSense is the "client" side.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • valnarV
          valnar
          last edited by

          @jimp:

          You may need to make sure that whatever device is actually handling the NAT before that traffic reaches the Internet is set to apply NAT to the subnet coming across IPsec.

          On pfSense, in some scenarios you need to add an manual outbound NAT rule to ensure that traffic coming from VPN clients has NAT applied before it tries to exit WAN, but I'm not sure what that might translate to on the other end if pfSense is the "client" side.

          The firewall on the head end has a route back through the tunnel to the remote pfSense side and it will handle NAT for any network that comes to it.  I played with the NAT settings on the pfSense box and they didn't help.  I even turned them off since I really don't need NAT at all.  Nothing gets NAT'ed to the Internet from pfSense since I want 100% of the traffic to go through the tunnel.  But still no workie.

          1 Reply Last reply Reply Quote 0
          • valnarV
            valnar
            last edited by

            I am now trying a Sonicwall on the remote side and it's doing the same thing, so something is amuck on the head end.  The Sonicwall has a special checkbox to tunnel all traffic over the VPN, including Internet traffic.  It creates the appropriate 0.0.0.0/0.0.0.0 match over the VPN so everything is definitely going over it, but I'm not getting an Internet (only internal) connectivity.  At this point, I don't believe it was a pfSense issue.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.