Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Accessing bridged to wan opt1 with ipsec

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kpa
      last edited by

      I have a pfsense firewall with wan, lan and opt1 interfaces, opt1 is bridged to wan with filtering bridge on and using public ip addresses. I'd like to setup a site to site vpn with ipsec to another site and the other site should be able to access both lan and the bridged to wan opt1 from the other end. I can setup the lan <-> other site part just fine but how do I set up the bridged to wan opt1 <-> other site part?

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Setup a second parallel tunnel to the same public IP-adress like the first tunnel but with the remote subnet of the bridged dmz machines. For this to work you have to use non ip adress identifiers in both tunnels (like ufqdn) and aggressive mode).

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by

          Thanks  :)

          I meant only the opt1 net is using public addresses, the lan net is using private addresses and the local net on the tunnel I have already set up is LAN. Shouldn't make any difference ?

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            Let me outline the tunneldefinitions:

            Tunnel1 LAN to LAN:

            identifier: lan2lan@myvpn.net (just create them with a secret at both ends)
            remote gateway: public IP of remote end
            local net: lan subnet
            remote net: subnet of remote lan
            mode: aggressive

            Tunnel2 LAN to DMZ:

            identifier: lan2dmz@myvpn.net (just create them with a secret at both ends)
            remote gateway: public IP of remote end
            local net: lan subnet
            remote net: subnet of dmz (note that you have to add manually the dmz subnet on the end with the dms as local net)
            mode: aggressive

            That should make the traffic to the DMZ IPs go through the tunnel. Try a traceroute once it's up.

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              Yes thanks again for excellent advice. I haven't tried the second tunnel yet because I ran into problems with the identifiers. It seems you can not change from my ip address identifiers(I first created the lan2lan tunnel with my ip address identifiers) to user fqdn on the fly but you have recreate the tunnels with user fqdns from scratch. Found this thread here that seems to be related to this: http://forum.pfsense.org/index.php/topic,7337.msg41606.html#msg41606

              Also, shouldn't all four identifiers be unique? Like lan2lan_1@myvpn.com, lan2lan_2@myvpn.com for the lan2lan tunnel and lan2dmz_1@myvpn.com,
              lan2dmz_2@myvpn.com for the other?

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                You can use the same identifiers at both ends but they have to be unique for each tunnel. Having them different at both ends for the same tunnel won't hurt, just set everything up correctly. I usually find it easier to have the same at both ends as this is easier to remember and less possibility to configure things wrong. I would just disable the IP-Identifier tunnels for now (there's a checkbox when you edit the tunnel) and set up the new ones from scratch. This way you can easily move back and forth between the one and the other config until you get things going. Once the parallel tunnel  setup works just delete the disabled IP-Identifier tunnels.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.