<![CDATA[Packets to remote subnet not going through IPsec]]>Hi everyone,

no sure if this topic belongs here or in the routing section, I'll just start here.

We have a problem with the network setup described in the attached network plan. The Firewalls in the picture are pfSense 1.2.3.

We would like to make HTTP accesses to the VOIP phones in the VOIP subnet (192.168.105.0/24) behind the left firewall from the LAN (192.168.120.0/24) behind the right firewall.
There's an IPsec connection between the two firewalls, tunneling 192.168.100.0/21 and 192.168.120.0/21.

The problem is that connections to a 192.168.105.x IP go out through the default route instead of going through the IPsec tunnel. Packets to the remote LAN (192.168.100.0/24) and the remote DMZ (not shown in the pic, 192.168.101.0/24) on the other hand happily travel through the tunnel.

I'd be grateful if someone here could enlighten me about the reason for this.

Cheers,

Chris
voip-problem.png
voip-problem.png_thumb

]]>https://forum.netgate.com/topic/25409/packets-to-remote-subnet-not-going-through-ipsecRSS for NodeMon, 15 Jun 2026 11:59:37 GMTFri, 30 Jul 2010 12:25:16 GMT60<![CDATA[Reply to Packets to remote subnet not going through IPsec on Fri, 30 Jul 2010 14:18:00 GMT]]>Gah, thanks for the clue-bat!

]]>https://forum.netgate.com/post/241465https://forum.netgate.com/post/241465Fri, 30 Jul 2010 14:18:00 GMT<![CDATA[Reply to Packets to remote subnet not going through IPsec on Fri, 30 Jul 2010 14:06:12 GMT]]>But it doesn't. :-)

192.168.100.0/21 really is 192.168.96.0 - 192.168.103.255.

Run it through a subnet calculator and you'll see, it doesn't add up the way you think it does.

]]>https://forum.netgate.com/post/241464https://forum.netgate.com/post/241464Fri, 30 Jul 2010 14:06:12 GMT<![CDATA[Reply to Packets to remote subnet not going through IPsec on Fri, 30 Jul 2010 13:59:43 GMT]]>That's a good idea, I'll definately try that. However, since the subnet masks for the tunnel match all involved subnets this shouldn't be necessary, right?

]]>https://forum.netgate.com/post/241461https://forum.netgate.com/post/241461Fri, 30 Jul 2010 13:59:43 GMT<![CDATA[Reply to Packets to remote subnet not going through IPsec on Fri, 30 Jul 2010 13:53:38 GMT]]>You'll probably need a second IPsec tunnel then that will match the VOIP subnet on the left side.

In 2.0 you can have multiple subnets for each tunnel; In 1.2.3 you need two separate tunnels.

]]>https://forum.netgate.com/post/241459https://forum.netgate.com/post/241459Fri, 30 Jul 2010 13:53:38 GMT<![CDATA[Reply to Packets to remote subnet not going through IPsec on Fri, 30 Jul 2010 13:51:15 GMT]]>No multi-WAN and no gateway in any pf rule.

]]>https://forum.netgate.com/post/241456https://forum.netgate.com/post/241456Fri, 30 Jul 2010 13:51:15 GMT<![CDATA[Reply to Packets to remote subnet not going through IPsec on Fri, 30 Jul 2010 13:38:23 GMT]]>Do you have multi-WAN or a gateway set on the rule for the VOIP phones on the LAN side of that firewall?

A gateway in a pf rule can make traffic bypass the usual ways that traffic should pass, though I don't recall if that applies to IPsec offhand. IPsec usually grabs what it wants as long as the subnet matches.

]]>https://forum.netgate.com/post/241453https://forum.netgate.com/post/241453Fri, 30 Jul 2010 13:38:23 GMT