Policy based routing over VPN



  • Two networks of our company are to be connected via DSL-VPNs. To achieve more bandwith, wie have 2 DSL wires connected to a pfsense at each site. I set up two VPNs between the two boxes. I would like to  split the traffic by policy based routing on the VPN-Client (in network 2), eg. mail traffic should go via VPN2 (to the mailserver in network1), all other via VPN1 (default gw), the replies should go the same way back.

    network1 (192.168.110.0/24)
                        |
                vr0(192.168.110.254)
                  pfsense1
                (OpenVPN server)
      vpn1(192.168.105.1)  vpn2(192.168.105.17)
    vr1(static IP)                  vr2(static IP)
            |                              |
            |                              |

    |                              |
            |                              |
    vr1(static IP)                  vr2(static IP)
      vpn1(192.168.105.2)  vpn2(192.168.105.18)
                (OpenVPN client)
                  pfsense2
                vr0(192.168.100.254)
                        |
              network1 (192.168.100.0/24)

    I did several tries with pf, importing the rules with

    pfctl -a ftpproxy -f vpn2

    , vpn2 containing rules like

    pass in log on vr0 route-to (vr1 192.168.105.17) proto tcp from 192.168.100.0/24 to 192.168.110.0/24 port 995 label "MailPOPs" keep state

    but mail traffic is still routed over the default vpn1-path and nothing is logged in the firewall-log.

    I used the ftpproxy-anchor because this seems to be filtered before the firewall-entrys of pfsense.

    Every hint very welcome.


Log in to reply