Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing through VPN tunnel

    Scheduled Pinned Locked Moved IPsec
    8 Posts 3 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sup3rior
      last edited by

      Not sure if this is the right place or if it belongs in the VPN sub-forum….

      Have a setup that consists of several pfSense boxes that all connect to a couple of centrally placed pfSense boxes. Routing between branches and main site works like it should, but I would like to be able to route traffic from a couple of the branches to all the other branches. Since I don't want to add tunnels between all branches I want it to go through the main site.

      Looking at the options I have in System>Routing I don't see any way of achieving this. Adding a route on the "Routes" tab, I need to specify a gateway, but when adding a gateway on the "Gateways" tab I cannot specify VPN as the interface where the traffic goes. Only LAN and WAN is available and since the subnet is not available on either of these interfaces I cannot add it (which of course makes sense).

      So, any suggestions on how to get this working?

      Regards,
      Anders

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        what type of VPN?

        1 Reply Last reply Reply Quote 0
        • S
          Sup3rior
          last edited by

          IPsec…

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Then you just add additional phase 2 entries matching the appropriate local and remote subnets on every IPsec connection. An additional one at each branch for each other branch, and the same at the main end.

            1 Reply Last reply Reply Quote 0
            • S
              Sup3rior
              last edited by

              @cmb:

              Then you just add additional phase 2 entries matching the appropriate local and remote subnets on every IPsec connection. An additional one at each branch for each other branch, and the same at the main end.

              Just to be sure, i'm listing your suggestion here as I perceive it:

              Main site: 192.168.1.0/24
              Branch A: 192.168.2.0/24
              Branch B: 192.168.3.0/24
              Branch C: 192.168.4.0/24

              So I would just add additional Phase 2 entries on the tunnel between branch A and Main site, that contains the IP addresses of branch B and C?

              Wouldn't that cause routing problems at the main site as it now has 2 route entries for branch B and C?

              Regards,
              Anders

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                Then branch A would have 3 phase 2 entries:

                Remote 192.168.1.0/24
                Remote 192.168.3.0/24
                Remote 192.168.4.0/24

                all with local 192.168.2.0/24. Duplicate the same (changing subnets accordingly) at the other locations.

                Or just make the first P2 have a 192.168.0.0/16 everywhere and you can do it with a single P2.

                @Sup3rior:

                Wouldn't that cause routing problems at the main site as it now has 2 route entries for branch B and C?

                No, it still has just one entry to that remote network. The others are local on that end, remote to the branch ends.

                1 Reply Last reply Reply Quote 0
                • R
                  rainabba
                  last edited by

                  @Sup3rior:

                  @cmb:

                  Then you just add additional phase 2 entries matching the appropriate local and remote subnets on every IPsec connection. An additional one at each branch for each other branch, and the same at the main end.

                  Just to be sure, i'm listing your suggestion here as I perceive it:

                  Main site: 192.168.1.0/24
                  Branch A: 192.168.2.0/24
                  Branch B: 192.168.3.0/24
                  Branch C: 192.168.4.0/24

                  So I would just add additional Phase 2 entries on the tunnel between branch A and Main site, that contains the IP addresses of branch B and C?

                  Wouldn't that cause routing problems at the main site as it now has 2 route entries for branch B and C?

                  Regards,
                  Anders

                  Did you get this working? A couple others (myself included) are trying the same and having various problems. I can't get the additional Phase2 to come up. I posted at http://forum.pfsense.org/index.php/topic,48952.0.html.

                  1 Reply Last reply Reply Quote 0
                  • S
                    Sup3rior
                    last edited by

                    Sorry for the delayed answer, need to remember to enable notify on threds I participate in…

                    But no, unfortunately I didn't get this to work but haven't spend much time on it either...

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.