Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rule with gateway - policy based routing

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 5 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Terrabit_AH
      last edited by

      i have four interfaces wan, lan, mpls and backup

      the mpls interface and the backup are in a gateway group

      i route successfuly trafic from lan over the gateway group to the destination.

      now i want route a network behind a ipsec tunnel route over the gateway group

      i make a rule on the ipsec interface without effort, all traffic will be routed to the wan.

      i capture the traffic !!!!

      how can i route traffic from ipsec tunnels over the gateway group ???

      regards
      Alexander

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        You can't.
        IPSEC is handled differently before the routing table/specific gateways are processed.
        If you want to be able to route over a VPN, use OpenVPN.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • T
          Terrabit_AH
          last edited by

          why you don't fix the problem in the pfsense ?
          other devices like a cisco route can route over a ipsec,
          not realy but the routing table will be used.

          that meanse you route the traffic based on the routing table and only the encryption will be effort bei ipsec policy.
          thats the main reason why ipsec is used, to define encryption policys for trafic between two hosts oder networks.

          1 Reply Last reply Reply Quote 0
          • M
            Metu69salemi
            last edited by

            I think that problem lies os beneath pfsense and not pfsense limitation itself.
            If i'm correct ipsec is in kernel of bsd and openvpn is addon software, which can be handled differently.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Correct, IPsec will grab all traffic matching its SPD entries (Phase 2) so doing policy routing involving IPsec is not possible.

              It works fine with OpenVPN though.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • D
                dhatz
                last edited by

                @Terrabit_AH:

                why you don't fix the problem in the pfsense ?
                other devices like a cisco route can route over a ipsec,
                not realy but the routing table will be used.

                that meanse you route the traffic based on the routing table and only the encryption will be effort bei ipsec policy.
                thats the main reason why ipsec is used, to define encryption policys for trafic between two hosts oder networks.

                Not doable at the moment, due to how FreeBSD (the underlying OS FreeBSD is based on) handles IPsec traffic.

                Read http://forum.pfsense.org/index.php/topic,50589.0.html

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.