Routing internet through IPSEC Tunnel

  • Hello!!

    I have a site to site IP Sec tunnel established with PFSense at both ends. The tunnel works just fine. There is an additional requirement to route the internet traffic through that tunnel so that users on site A are able to use the internet at site B. Is this possible?

  • Yes. Use remote/local

  • As per my understanding I should add another phase 2 with remote and local network as or should I modify the existing phase 2 entry?

  • modify the existing.

  • I tried doing that and I lost the remote site. I now need this urgent :( guys step up

  • Rebel Alliance Developer Netgate

    You need the Phase 2 to look like:

    Site A:
    Local: Site A LAN

    Site B:
    Remote: Site A LAN

  • Sorry for bad english.

    A have same problem.
    But i cant reach internet from site B. All configurations made like you say - but nothing worked.
    pfsense 2.0.1
    What else can i check?

  • Rebel Alliance Developer Netgate

    Make sure your outbound NAT rules at Site B are configured to perform NAT for site A's subnet, and also make sure the IPsec firewall rules will pass to a destination of 'any'…

  • How did you get on with this? Does it actually work?

  • Yes it works, just have to configure it as described.

  • Just a little question. What config do you put in the Nat section out of interest? Manual Nat? Or can it just be automatic ? Sorry I know dumb question. I must admit I wouldn't of thought of doing this.

  • JIMP or CMB, please could you answer my question about outbound NAT above?

  • Rebel Alliance Developer Netgate

    Manual Outbound NAT, with a rule like what I described before. just copy the rule(s) that do your LAN subnet and fix them so they cover your IPsec remote subnet also.

  • Hi, this is just what I was looking for, and it works like a charm. THANK YOU!

    Now for a follow-up question: I have a webserver in site B that used to be available on its (public, external) ip address thanks to nat reflection. Now that outbound nat rule generation is no longer done automatically, that server is no longer available from within sites A and B. From outsite it still works fine.

    We have 6 public ips in a row and this webserver is not on PfSense's public ip address but on one of the others.

    I take it I must tell PfSense somewhere that that server must be reachable from inside the lans, but where and how?

    Ok I found the solution: under Firewall > NAT > Port Forward, for every port forward rule I had to set NAT reflection to Enable (Pure NAT). Also under System > Advanced I ticked Enable NAT Reflection for 1:1 NAT and Enable automatic NAT for Reflection. I think using all three options might be redundant but it works.

Log in to reply