• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] Howto route local traffic between diff. Subnets AND IPSEC supernetting

Scheduled Pinned Locked Moved IPsec
4 Posts 3 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    pfsenseman081
    last edited by May 3, 2015, 1:08 AM Apr 26, 2015, 12:29 AM

    Here's my setup:

    Site 1, pfsense 2.2.2
    LAN A => 192.168.0.1/24
    LAN B => 192.168.1.1/24

    Site 2, pfsense 2.2.2
    LAN => 192.168.100.1/24

    Mission:
    Route all traffic from Site1 thru Site2
    but still allow routing locally from LAN A to LAN B.

    Setup:
    IPSEC Phase 1 connects to Site 2 (sucessfull)
    IPSEC Phase 2: LAN A to 0.0.0.0/0 (sucessfull)
    IPSEC Phase 2: LAN B to 0.0.0.0/0 (sucessfull)

    The tunnel comes up and traffic is passing thru.

    Unfortunalty, LAN A now can't reach LAN B locally anymore.

    What do I have to do to make LAN B locally available for LAN A.

    cu
    Ben

    1 Reply Last reply Reply Quote 0
    • K
      kapara
      last edited by Apr 26, 2015, 12:55 AM Apr 26, 2015, 12:50 AM

      How about using a layer 3 switch and have the switch be the primary gateway and do inter-vlan routing between both subnets at the switch and have all other traffic go to the pfsense.  another option is to throw a router in between your pfsense and your switch and have that be the gateway.

      That way pfsense does not have to handle the routing of the 2 subnets and your ipsec routing should not interfere.

      You can either go opensource with a switch or router or go with Cisco SMB Switch

      http://www.cisco.com/c/en/us/products/switches/small-business-300-series-managed-switches/models-comparison.html

      Skype ID:  Marinhd

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by May 1, 2015, 12:26 AM

        There isn't a way to accommodate that in the GUI currently. The "conn bypasslan" entry in ipsec.conf, generated by /etc/inc/vpn.inc, adds a passthrough but only for the LAN's subnet. That could be easily changed to hard code your LAN subnets in vpn.inc as a work around. There is a feature request open to add that functionality in the future.

        1 Reply Last reply Reply Quote 0
        • P
          pfsenseman081
          last edited by May 3, 2015, 1:07 AM

          Thanks for your answers.

          Here's how I've solved the problem:
          I set up my ipsec connection and "phased around" all my LAN Subnets in Phase 2. To route around, I just needed a couple of phase 2 entries.

          0.0.0.0/1
          128.0.0.0/2
          192.0.0.0/9
          192.128.0.0/11
          192.160.0.0/13
          …

          cu
          Ben

          1 Reply Last reply Reply Quote 0
          2 out of 4
          • First post
            2/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received