Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing internet through IPSEC Tunnel

    Scheduled Pinned Locked Moved IPsec
    14 Posts 6 Posters 8.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asifrajan
      last edited by

      Hello!!

      I have a site to site IP Sec tunnel established with PFSense at both ends. The tunnel works just fine. There is an additional requirement to route the internet traffic through that tunnel so that users on site A are able to use the internet at site B. Is this possible?

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Yes. Use remote/local 0.0.0.0/0

        1 Reply Last reply Reply Quote 0
        • A
          asifrajan
          last edited by

          As per my understanding I should add another phase 2 with remote and local network as 0.0.0.0/0? or should I modify the existing phase 2 entry?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            modify the existing.

            1 Reply Last reply Reply Quote 0
            • A
              asifrajan
              last edited by

              I tried doing that and I lost the remote site. I now need this urgent :( guys step up

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                You need the Phase 2 to look like:

                Site A:
                Local: Site A LAN
                Remote: 0.0.0.0/0

                Site B:
                Local: 0.0.0.0/0
                Remote: Site A LAN

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • T
                  tomas1list.ru
                  last edited by

                  Sorry for bad english.

                  A have same problem.
                  But i cant reach internet from site B. All configurations made like you say - but nothing worked.
                  pfsense 2.0.1
                  What else can i check?

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Make sure your outbound NAT rules at Site B are configured to perform NAT for site A's subnet, and also make sure the IPsec firewall rules will pass to a destination of 'any'โ€ฆ

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • C
                      craigduff
                      last edited by

                      How did you get on with this? Does it actually work?

                      Kind Regards,
                      Craig

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by

                        Yes it works, just have to configure it as described.

                        1 Reply Last reply Reply Quote 0
                        • C
                          craigduff
                          last edited by

                          Just a little question. What config do you put in the Nat section out of interest? Manual Nat? Or can it just be automatic ? Sorry I know dumb question. I must admit I wouldn't of thought of doing this.

                          Kind Regards,
                          Craig

                          1 Reply Last reply Reply Quote 0
                          • C
                            craigduff
                            last edited by

                            JIMP or CMB, please could you answer my question about outbound NAT above?

                            Kind Regards,
                            Craig

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              Manual Outbound NAT, with a rule like what I described before. just copy the rule(s) that do your LAN subnet and fix them so they cover your IPsec remote subnet also.

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • V
                                Vorkbaard
                                last edited by

                                Hi, this is just what I was looking for, and it works like a charm. THANK YOU!

                                Now for a follow-up question: I have a webserver in site B that used to be available on its (public, external) ip address thanks to nat reflection. Now that outbound nat rule generation is no longer done automatically, that server is no longer available from within sites A and B. From outsite it still works fine.

                                We have 6 public ips in a row and this webserver is not on PfSense's public ip address but on one of the others.

                                I take it I must tell PfSense somewhere that that server must be reachable from inside the lans, but where and how?

                                /edit
                                Ok I found the solution: under Firewall > NAT > Port Forward, for every port forward rule I had to set NAT reflection to Enable (Pure NAT). Also under System > Advanced I ticked Enable NAT Reflection for 1:1 NAT and Enable automatic NAT for Reflection. I think using all three options might be redundant but it works.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.