IPSEC forward to LAN

  • Is there anything fundamentally wrong with running IPSEC on the LAN interface and port forwarding from WAN and WAN2 (I have 2 wan connections).  I want to do this rather than run on the WAN interface as I want the tunnel to be available to users whether they use WAN or WAN2.  Other than making the settings a little more complicated, are there security implications that I should be worried about?

  • Rebel Alliance Developer Netgate

    There shouldn't be anything to worry about, security-wise, doing it that way. You might have some issues with IPsec+NAT in that way, but it may be OK. I suspect that if it works at all it may be fine.

  • After more investigation, it does indeed work properly doing what I suggested above.

    I also noticed in the newer builds that when raccoon is started it binds to all interfaces current IP addresses.  If I understand correctly, whatever interface that is set in the phase 1 setup, hidden firewall rules are automatically added to allow ports 500/4500 UDP for that interface.  So what I did was set WAN 1 in the phase 1 setup and then on WAN2 I manually opened 500/4500 UDP.  This also works.  What I would like to know is what is the "best" way to do this from a security and not getting broken on upgrades perspective.

Log in to reply