Packets to remote subnet not going through IPsec



  • Hi everyone,

    no sure if this topic belongs here or in the routing section, I'll just start here.

    We have a problem with the network setup described in the attached network plan. The Firewalls in the picture are pfSense 1.2.3.

    We would like to make HTTP accesses to the VOIP phones in the VOIP subnet (192.168.105.0/24) behind the left firewall from the LAN (192.168.120.0/24) behind the right firewall.
    There's an IPsec connection between the two firewalls, tunneling 192.168.100.0/21 and 192.168.120.0/21.

    The problem is that connections to a 192.168.105.x IP go out through the default route instead of going through the IPsec tunnel. Packets to the remote LAN (192.168.100.0/24) and the remote DMZ (not shown in the pic, 192.168.101.0/24) on the other hand happily travel through the tunnel.

    I'd be grateful if someone here could enlighten me about the reason for this.

    Cheers,

    Chris


  • Rebel Alliance Developer Netgate

    Do you have multi-WAN or a gateway set on the rule for the VOIP phones on the LAN side of that firewall?

    A gateway in a pf rule can make traffic bypass the usual ways that traffic should pass, though I don't recall if that applies to IPsec offhand. IPsec usually grabs what it wants as long as the subnet matches.



  • No multi-WAN and no gateway in any pf rule.


  • Rebel Alliance Developer Netgate

    You'll probably need a second IPsec tunnel then that will match the VOIP subnet on the left side.

    In 2.0 you can have multiple subnets for each tunnel; In 1.2.3 you need two separate tunnels.



  • That's a good idea, I'll definately try that. However, since the subnet masks for the tunnel match all involved subnets this shouldn't be necessary, right?


  • Rebel Alliance Developer Netgate

    But it doesn't. :-)

    192.168.100.0/21 really is 192.168.96.0 - 192.168.103.255.

    Run it through a subnet calculator and you'll see, it doesn't add up the way you think it does.



  • Gah, thanks for the clue-bat!


Log in to reply