Site-to-site split tunnel

  • Hi everyone!

    I need some routing advice…
    I've setup a site-to-site IPSec tunnel between our pfSense and one of our customers' Cisco devices. The local end of our phase 2 uses network, which resides on a physical interface of the pfSense (re3, called "VPNOUT"). Our local LAN subnet ( is on re1 and WAN is on re0. There is a DHCP server running on VPNOUT.
    The tunnel comes up, but no traffic seems to be going through it when I connect a client to the subnet. I receive a correct IP address from the DHCP server and traceroute shows the first hop is the interface's gateway (, but then nothing further, I can't reach the machines on the other end.

    Should I just use subnet on our end of the P2 to get traffic routed over the tunnel?
    And if I do so, then I assume all traffic would get routed over the tunnel, including outgoing traffic from LAN, which is not my intention.

    Ideal scenario would be that I don't need the separate VPNOUT interface, and that I can just specify that outgoing traffic from LAN to some specific hosts should be routed over the IPSec tunnel, and all the rest should be routed over the default WAN gateway.
    Could anyone explain to me how I can do this?

    Thank you very much in advance for any help!

  • I need to be more precise on this one…
    My IPSec tunnel is up, using the VPNOUT subnet on my end, and for the remote subnet:

    The client requested to set it up as such so they don't need to specify routing on their end for every server we need to be able to reach through the tunnel (they're a VERY big company with 100's of servers, of which we need to reach more than a couple). Obviously this kind of setup would cause any traffic from the VPNOUT subnet to be routed through the tunnel I'd guess, but that doesn't seem to be the case :-/

    SPD shows this:

    I have the following rule in place for the VPNOUT subnet:

    My VPNOUT interface looks like this:

    And DHCP on the VPNOUT looks like this:

    I receive a correct IP from the DHCP server when I connect a client and I can ping the gateway (, but I can't resolve DNS, and I cannot ping any server on the other end of the tunnel.
    Traceroute also only shows 1 hop, being From the second hop on everything times out.
    I cannot ping any server on the remote end of the tunnel directly from the pfSense either (SSH shell ping -S <remote-address>or ping <remote-address>.
    Our client tells me they don't see any traffic arriving from our end when I ping/traceroute/whatever.

    What on earth am I missing here?
    Please, somebody enlighten me, thanks!</remote-address></remote-address>

  • While I was typing my previous message, something hit me.
    Could it be that I would just need to do the following? ->

    1/ assign the VPNOUT to the physical interface that WAN is on
    2/ change VPNOUT to have "none" for IPv4 & IPv6
    3/ assign a new interface to one of my available ethernet cards
    4/ calling that new interface "TunneledLAN" & giving it an address of
    5/ enabling DHCP on "TunneledLAN" for
    6/ adding an outbound NAT-rule on VPNOUT for over * to * with the VPNOUT interface address for translation
    7/ creating a firewall rule for "TunneledLAN" for * over * to *


  • Really no one who has an answer to this or who can help me in the right direction?  ???

  • In the firewall rules. What rules are in the Ipec tab? They should also be any and any??

Log in to reply