4. IPSEC forward to LAN

IPSEC forward to LAN

  • T

    Is there anything fundamentally wrong with running IPSEC on the LAN interface and port forwarding from WAN and WAN2 (I have 2 wan connections).  I want to do this rather than run on the WAN interface as I want the tunnel to be available to users whether they use WAN or WAN2.  Other than making the settings a little more complicated, are there security implications that I should be worried about?

    0
  • Rebel Alliance Developer Netgate

    There shouldn't be anything to worry about, security-wise, doing it that way. You might have some issues with IPsec+NAT in that way, but it may be OK. I suspect that if it works at all it may be fine.

    0
  • T

    After more investigation, it does indeed work properly doing what I suggested above.

    I also noticed in the newer builds that when raccoon is started it binds to all interfaces current IP addresses.  If I understand correctly, whatever interface that is set in the phase 1 setup, hidden firewall rules are automatically added to allow ports 500/4500 UDP for that interface.  So what I did was set WAN 1 in the phase 1 setup and then on WAN2 I manually opened 500/4500 UDP.  This also works.  What I would like to know is what is the "best" way to do this from a security and not getting broken on upgrades perspective.

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy