Traffic / Gateway question

  • Hello, this is a little bit of weird question so let me explain what we have and what I'm trying to accomplish.  We currently have two datacenter locations with CARP setup on two pfSenses at each site.  Each site has the WAN of the pfSense on a public  /29 and the LAN is also a routable public /24.  At each site we run multiple Virtual Machines running pfSense for IaaS for our clients.  Each of those virtual pfsenses has one of the public /24 IPs on assigned to it's WAN.  What we would like to do, is on the main physical pfsense at each site, we want to create an OpenVPN connection between the two of them so we can pass traffic between the two networks with our internal company systems that also lay inside part of the /24 at each site.

    The big question here is how can we prevent double encryption from occurring when we connect a virtual firewall at one site to one at the other?  The problem is that all of these virtual firewalls are inside the LAN of the physical pfSenses at each site.  So when we go to establish a connection between the two, both of the IP ranges would fall inside the local / remote networks for the OpenVPN on the physical firewall.  I'd like for a way to specify whether or not the traffic from say IPs .1-.50 on the LANs Public /24 go through to the remote sites LANs Public /24 through the OpenVPN Tunnel, or send it straight out the ISP Gateway instead of inside the tunnel.

    Is there any way to split this type of traffic without having to setup new subnets?  Would a firewall rule of some sort work?

  • I believe this is resolved now.  I spoke with Jim P. and it sounds like I can create a LAN firewall rule and specify the source IPs and destination port, and then pick the Gateway specifically, and the traffic should go around the primary OpenVPN tunnel between the sites.

Log in to reply