Accessing bridged to wan opt1 with ipsec



  • I have a pfsense firewall with wan, lan and opt1 interfaces, opt1 is bridged to wan with filtering bridge on and using public ip addresses. I'd like to setup a site to site vpn with ipsec to another site and the other site should be able to access both lan and the bridged to wan opt1 from the other end. I can setup the lan <-> other site part just fine but how do I set up the bridged to wan opt1 <-> other site part?



  • Setup a second parallel tunnel to the same public IP-adress like the first tunnel but with the remote subnet of the bridged dmz machines. For this to work you have to use non ip adress identifiers in both tunnels (like ufqdn) and aggressive mode).



  • Thanks  :)

    I meant only the opt1 net is using public addresses, the lan net is using private addresses and the local net on the tunnel I have already set up is LAN. Shouldn't make any difference ?



  • Let me outline the tunneldefinitions:

    Tunnel1 LAN to LAN:

    identifier: lan2lan@myvpn.net (just create them with a secret at both ends)
    remote gateway: public IP of remote end
    local net: lan subnet
    remote net: subnet of remote lan
    mode: aggressive

    Tunnel2 LAN to DMZ:

    identifier: lan2dmz@myvpn.net (just create them with a secret at both ends)
    remote gateway: public IP of remote end
    local net: lan subnet
    remote net: subnet of dmz (note that you have to add manually the dmz subnet on the end with the dms as local net)
    mode: aggressive

    That should make the traffic to the DMZ IPs go through the tunnel. Try a traceroute once it's up.



  • Yes thanks again for excellent advice. I haven't tried the second tunnel yet because I ran into problems with the identifiers. It seems you can not change from my ip address identifiers(I first created the lan2lan tunnel with my ip address identifiers) to user fqdn on the fly but you have recreate the tunnels with user fqdns from scratch. Found this thread here that seems to be related to this: http://forum.pfsense.org/index.php/topic,7337.msg41606.html#msg41606

    Also, shouldn't all four identifiers be unique? Like lan2lan_1@myvpn.com, lan2lan_2@myvpn.com for the lan2lan tunnel and lan2dmz_1@myvpn.com,
    lan2dmz_2@myvpn.com for the other?



  • You can use the same identifiers at both ends but they have to be unique for each tunnel. Having them different at both ends for the same tunnel won't hurt, just set everything up correctly. I usually find it easier to have the same at both ends as this is easier to remember and less possibility to configure things wrong. I would just disable the IP-Identifier tunnels for now (there's a checkbox when you edit the tunnel) and set up the new ones from scratch. This way you can easily move back and forth between the one and the other config until you get things going. Once the parallel tunnel  setup works just delete the disabled IP-Identifier tunnels.


Log in to reply