Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC forward to LAN

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tempus6
      last edited by

      Is there anything fundamentally wrong with running IPSEC on the LAN interface and port forwarding from WAN and WAN2 (I have 2 wan connections).  I want to do this rather than run on the WAN interface as I want the tunnel to be available to users whether they use WAN or WAN2.  Other than making the settings a little more complicated, are there security implications that I should be worried about?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        There shouldn't be anything to worry about, security-wise, doing it that way. You might have some issues with IPsec+NAT in that way, but it may be OK. I suspect that if it works at all it may be fine.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          tempus6
          last edited by

          After more investigation, it does indeed work properly doing what I suggested above.

          I also noticed in the newer builds that when raccoon is started it binds to all interfaces current IP addresses.  If I understand correctly, whatever interface that is set in the phase 1 setup, hidden firewall rules are automatically added to allow ports 500/4500 UDP for that interface.  So what I did was set WAN 1 in the phase 1 setup and then on WAN2 I manually opened 500/4500 UDP.  This also works.  What I would like to know is what is the "best" way to do this from a security and not getting broken on upgrades perspective.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.