Route Specific IPSec traffic out WAN? - SOLVED
Setup (see attached image):
I have two pfSense boxes in HA using CARP and virtual IPs for WAN, LAN, and IPSec.
I have used the AWS IPSec Wizzard to setup an IPSec tunnel between my AWS and my HQ, that terminates on my pfSense box on WAN public IP #2 (a virtual IP).
The default route out of my HQ pfSense is WAN public IP #1 ( a virtual IP).
I have setup an "OpenVPN Access Server" VM in AWS.
In AWS I have added network routes to force traffic bound for the HQ LAN and the remote web app's IP, to be routed through the IPSec tunnel to the HQ pfSense box.
The OpenVPN Access Server NATs all clients to the private LAN of AWS.
I have a third party site web app that only allows my HQ public IP #1 to access.
OpenVPN clients can connect to the OpenVPN server and access servers at my HQ LAN via the IPSec tunnel between AWS and HQ.
What doesn't work:
I can not get my OpenVPN clients to access the remote web app via routing through the HQ pfSense box.
When I do a packet capture on the HQ pfSense box looking at all traffic from the OpenVPN VM's private IP, I see all client traffic to all HQ hosts, but I don't see any traffic when clients try to access the remote web app.
How can I proove that client traffic bound for the remote web app is getting to the pfSense box?
Is there a firewall rule and/or NAT rule I need to put in place on the pfSense?
UPDATE: I did a tcpdump on a different interface on the pfSense box (igb03), looking at all traffic to and from the remote web app public IP.
I see traffic from the OpenVPN box going out the public IP#2 of the pfSense box. Now I just need to figure out how to get that traffic go out as public IP #1 and I'm good.
Nope. I'm still stuck.
I can't tell where to track the traffic from my OpenVPN server that is coming into pfSense, getting NAT'ed, sent back out as a different public IP towards the Web App's public IP. I also can't find the return traffic from the Web App coming back in, getting NAT'ed and goin out to my OpenVPN server.
Anyone know how I can track these traffic patterns?
I got second tier support from Christopher M. Buechler who noticed that I needed to add an additional Phase 2 network to my IPSec tunnel on the HQ end. The Phase 2 entry specified the remote network as the private range in AWS, and the local range of the remote WebApp. Now all works correctly.
It appears that the current Netgate image of pfSense, with it's "AWS VPC VPN Wizard", configures the IPSec connections in a way that is no longer compatible with AWS. I guess AWS changed something since this wizard was created. AWS said that both tunnels created by the pfSense wizard should not be active at the same time, and that one should be in standby. I opened a ticket with Netgate support about this on May 4th, and hope to get this resolved before too long.