Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fine grained control over routing & filtering when tunneling a /24 public IP net

    Scheduled Pinned Locked Moved Routing and Multi WAN
    1 Posts 1 Posters 518 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • rcfaR
      rcfa
      last edited by

      I sort of ask this question in intervals, as pfSense and my understanding evolves…

      What I have:

      • Class-C (/24) direct assignment of pubic IPv4 address space
      • a HE-tunnelbroker assignment of IPv6 address space
      • a FiOS link to my site (but no ability/willingness on the side of Verizon to route my net), with a pfSense box as router/firewall
      • a colocation site with an identical pfSense box, to which my IP address space is routed.

      What I do/did:

      • tunnel all of my IPv4 address space and traffic over a VPN (IPSec first, OpenVPN currently) to the Colo, and from there to the internet
      • tunnel all of my IPv6 address space and traffic over the tunnelbroker tunnel to HE and from there to the internet

      What I can't do due to seeming limitations of OpenVPN and IPSec:

      • policy based routing that runs trivial traffic (web browsing, downloads) through NAT and directly to the internet over FiOS rather than through the tunnel-colo detour
      • proper filtering/routing, because both OpenVPN tunnel as IPSec seem to grab some traffic before pf gets its paws on it, or sets up routing that has priority over other things. Maybe I'm just not doing things right
      • make sure IPv6 is prioritized over IPv4, seems like due to initial ping times IPv4 gets the preference, but does pings are direct FiOS, not the tunnel, so they don't reflect the actual realities of how packets flow from the LAN

      What I really would like:

      • the functional equivalent of two PFsense units in series: one that connects to FiOS and then offers three physical links: WAN4, WAN6, and WAN-NAT, and then a second box that connects DMZ and LAN to these three WAN links through policy based routing. But in one box...
      • preferably with data compression for what goes through the tunnel
        ...so what, short of two units in series, allows me to get the same effect?
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.