Draytek to pfsense route all traffic



  • We are looking to implement the following solution for a potential client, but who want to see a proof of concept first.

    Site A
    Draytek 2860 Router
    Private LAN direct internet access and VPN to HQ
    Public WiFi all traffic route down VPN to pfsense captive portal and then out to the internet following authentication

    Site B
    Pfsense 2.3_1
    Captive Portal to authenticate guest users at remote sites whose traffic arrives via VPN.

    There are 120 ‘A’ sites total.

    I understand how to route all traffic down VPN using these instructions:
    https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel

    The issue:
    I can create a stable VPN connection from draytek 2860 to pfsense 2.3, I can create the rule on the draytek to route all traffic for the guest subnet down the VPN tunnel. When the traffic arrives at pfsense it doesn’t route because the phase 2 is only configured for the LAN subnet, not 0.0.0.0 as per the guide. When I configure for 0.0.0.0 the tunnel doesn’t come up because the phase 2 doesn’t match the draytek. I can’t change the draytek to match 0.0.0.0 because 1) it doesn’t support 0.0.0.0/0 and 2) I don’t want ALL traffic on all subnets on the draytek sent via the VPN.

    So is there a way to have pfsense route traffic from the VPN tunnel to captive portal and then out to the internet without configuring 0.0.0.0 on the phase 2? All rules I have tried don’t appear to be applied ‘high enough up’ and I see packets blocked based on the “default deny rule ipv4” – at this point we are right at the limit of my understanding of the inner workings of routing/firewalling/pfsense, so please excuse if i've missed something blindingly obvious!

    Thanks


Log in to reply