Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Interesting situation – need to route all local traffic through remote pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 6 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      breakaway
      last edited by

      Hello Everyone

      I am in an interesting situation. I have a office site and a datacenter site. At the data centre, I have a large /26 IP block. I have a few addresses on this block that I am not yet using.

      I am wanting to share my internet connection at the office with others in the office building. Now this would be very easy to do, unfortunately due to ISP limitations, we are not able to do this. At the datacenter we have 'unmetered' carrier grade bandwidth.

      The ISP limitation is that we are allowed 'unlimited' national traffic over the link, but we are limited to only 200GB of 'international' traffic. As it stands, we are hitting this 200GB limit almost every month. If I start sharing our internet with other entities, we will quickly exceed this cap and it will start to become very expensive (ridiculous overage charges). Switching ISPs to get one with a better plan or getting a second connection in for sharing purposes is NOT an option due to the political atmosphere and the timeframes involved. It's totally out of the question.

      So I have come up with a creative way to solve this problem – give the companies requiring an internet connection in the office building a non-routable subnet (e.g. 192.168.240.0/24), connect them to our pfSense and then route all their traffic through the office internet connection to the datacenter; then and NAT it using one of the IPs on my /26 block on the internet.

      This way, our ISP at the office would see all traffic as "National" traffic and not surpass our tiny 200GB cap.

      I need some insights and instructions on

      (a) whether this is possible
      (b) if (a) is true, what tech is best to use? I am very experienced with using IPSEC for site to site tunnels (but that's done using non-overlapping subnets -- is it possible to NAT everything out of the 192.168.240/24 subnet into my datacenter IP?
      (c) is there a better way to do this?

      Any insights appreciated.

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        Me personally, I'd need a picture of how you want this set up.

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          It should be possible. I use OpenVPN, but I expect IPsec would work also. For example:
          a) Put them on their own interface and subnet like you suggest 192.168.240.0/24 - using different private IP range than is used anywhere else in office or data centre. Let's call it OTHERLAN.
          b) Make a VPN from office to datacentre (maybe you have one already?).
          c) Add a gateway that is the data centre end of the VPN - DATACENTREGW
          d) Put a policy-routing rule on OTHERLAN to pass all traffic but send it to DATACENTREGW. (no NAT on this hop)
          e) In the data centre router, pass all traffic arriving on the VPN with source 192.168.240.0/24 and destination not a private subnet (i.e. you do not want OTHERLAN users accessing private IPs of devices in the data centre.

          The data centre router should then NAT the OTHERLAN traffic out its public internet and the replies should flow happily back the reverse path.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • B
            breakaway
            last edited by

            kejianshi – here's what I want

            I think phil.davis has hit the nail on the head here. I will try it and report back

            1 Reply Last reply Reply Quote 0
            • B
              breakaway
              last edited by

              Ok I am giving this a shot now. The Office pfSense has been assigned with 192.168.254.10/24, and the datacenter pfSense is configured with 192.168.253.10/24. The IPSEC phase 2 has been added as well and the tunnel is up. Now, I need to figure out how to force traffic from 192.168.254.0/24 at the office into the 192.168.253.10/24 gateway at the datacenter.

              phil.davis, can you clarify the second part of your post? i.e.

              c) Add a gateway that is the data centre end of the VPN - DATACENTREGW
              d) Put a policy-routing rule on OTHERLAN to pass all traffic but send it to DATACENTREGW. (no NAT on this hop)

              How do I add the gateway that's on the datacenter end of the VPN? If I go to System > Routing > Gateways and try to add the  datacenter end of the tunnel (i.e. 192.168.253.10), I can't do that because the only possible drop downs in the "Interface" list are the physical interfaces on this end of the tunnel.. how do I tell it that I want the gateway to be on the other end of the tunnel? I hope that makes sense.

              Edit: I also thought I'd add that I found this guide https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel that allows me to accomplish what I want, however the guide assumes you want to send everything from Site A to Site B – that's not what I want, I only want to send traffic from a specific interface from the Site A pfsense to Site B.

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by

                Do these internet sharing clients need or want to host any services?  Such as DNS, SMTP email, Web Site, VPN access to office, etc.?  It may be easier or even necessary to assign them their own dedicated IP address at the data center rather than NATing.

                1 Reply Last reply Reply Quote 0
                • K
                  kejianshi
                  last edited by

                  You can tell pfsense to use openvpn as the outbound interface for a particular LAN interface by configuring that in firewall > NAT Manual outbound NAT.  Just be sure to add a virtual interface for openvpn (I'd use openvpn).

                  So, as an example, if everything on OPT5 was on 192.168.201.0/24 and you wanted anyone on opt5 to get internet through your pfsense/openvpn server in the datacenter, you would put that into your manual outbound NAT on the client pfsense and select your openvpn interface instead of WAN in manual outbound NAT.

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    Firewall rules can direct traffic in this case, or can set a default route across the VPN.

                    @kejianshi:

                    You can tell pfsense to use openvpn as the outbound interface for a particular LAN interface by configuring that in firewall > NAT Manual outbound NAT.

                    No, NAT strictly defines translation, not where traffic goes.

                    1 Reply Last reply Reply Quote 0
                    • K
                      kejianshi
                      last edited by

                      Yeah - Its does work.

                      If a openvpn client interface is selected on manual outbound NAT, that interface is where all the outbound traffic that meets the criteria stipulated will exit.

                      I'm sure you know lots more than me, but you can't tell me that something that has been working for me for a long time doesn't work.  I know it does because its working for me now.  Not theory.

                      However, I agree, that doing it in firewall rules also works.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        But why NAT VPN traffic between distinct private lans?

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • K
                          kejianshi
                          last edited by

                          What this guy is asking for isn't actually uncommon at all if I'm understanding correctly.

                          There is a site A and a site B

                          He wants all internet bound traffic from a particular interface on site B to go out over vpn to a server at site A.

                          Seems simple enough.  Anyway - Will be interesting to see what he works out.

                          1 Reply Last reply Reply Quote 0
                          • B
                            breakaway
                            last edited by

                            Hi,

                            Sorry my diagram is somewhat incorrect and my original phrasing of the question is quite poor.

                            Here's what I want – I want to route all traffic coming into OPT3 at the office sent to the datacentre, then out the datacentre's internet connection.

                            I would have thought this is a fairly typical configuration. I've found guides on how to send ALL traffic from the pfSense through the IPSEC tunnel, but no guide on how to funnel traffic out a single interface through an IPSEC tunnel.

                            I'd rather not use OpenVPN because all our Site to Site VPNs are established using IPSEC. But if it so happens that IPSEC cannot accomplish what I want, I will use OpenVPN

                            Can someone answer the million dollar question: 192.168.254.0/24 at Site A; 192.168.253.0/24 at Site B; IPSEC tunnel established between the two. Now, I need to send traffic from 192.168.254.0/24 at Site A through the IPSEC tunnel to Site B, then NAT it out the WAN connection of Site B.

                            I hope that explains it!

                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              Why don't you just have both "sharing clients" connect directly to the office pfsense directly via openvpn for internet sharing?

                              1 Reply Last reply Reply Quote 0
                              • B
                                breakaway
                                last edited by

                                Because I am trying to provide internet access to an entire business (so devices like their printers etc can get internet access), not a VPN system.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cmb
                                  last edited by

                                  @kejianshi:

                                  Yeah - Its does work.

                                  If a openvpn client interface is selected on manual outbound NAT, that interface is where all the outbound traffic that meets the criteria stipulated will exit.

                                  No, it doesn't. NAT only defines translation, the system routing table and/or policy routing rules tell traffic where to go. You have a route or rule that's directing the traffic out of the VPN.

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kejianshi
                                    last edited by

                                    If the vpn server is configured correctly and the client, routes exist.

                                    If the interface associated with the vpn client is configured in outbound NAT to be used with a certain subnet, thats where the traffic will go.

                                    Seems simple to me.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.