Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    How to handle IPsec with Dual WAN?

    Routing and Multi WAN
    2
    4
    2132
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andy last edited by

      I have 2 WAN connections: DSL and Cable.  I have an IPsec VPN setup on the DSL WAN (primary WAN interface) for 10.0.0.0/16.

      I can't figure out how to route all traffic to 10.0.0.0/16 from my LAN 192.168.100.0/24 over the VPN.  I tried adding a LAN firewall rule forcing all traffic for the 10-net to my WAN IP gateway, but this doesn't work.

      If I try to ping a host on the remote network, my state table shows it going out my internet interface:

      
      icmp  	192.168.100.11:18245 -> <dsl public="" ip="">:23317 -> 10.0.0.1  	0:0</dsl> 
      
      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        You have to use gateway default instead of the interface IP of your WAN. In your case you route the traffic directly to the upstream gateway so  ipsec doesn't even see it and the traffic doesn't get encapsulated.

        1 Reply Last reply Reply Quote 0
        • A
          andy last edited by

          Thanks, that makes sense.  I'm still unable to ping the remote network.

          Should I be able to ping the remote network from the pfsense shell?  I'm not clear on how routing is handled from the local pfsense box.

          One interesting thing, if I try a traceroute to the remote network from my LAN, I get this:

          
          traceroute to 10.0.0.1 (10.0.0.1), 64 hops max, 40 byte packets
           1  pfsense (192.168.100.1)  1.975 ms  1.560 ms  1.506 ms
           2  pfsense (192.168.100.1)  104.110 ms  107.204 ms  106.243 ms
           3  * * *
          
          

          I think this means it's reaching the other side of the tunnel at least.

          1 Reply Last reply Reply Quote 0
          • H
            hoba last edited by

            You need to use the lan ip if as source if you try to ping through the tunnel from the pfsense itself. Try from a client behind the pfSense or use as source the LAN IP. At the webgui for example use interface lan at diagnostics>ping. Other option is to add a static route to remotesubnet via gateway lan IP of local pfSense.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post