Netgate SG-1000 microFirewall

Author Topic: site-to-site wan traffic through site B BUT with exceptions  (Read 144 times)

0 Members and 1 Guest are viewing this topic.

Offline hege

  • Full Member
  • ***
  • Posts: 110
  • Karma: +4/-0
    • View Profile
site-to-site wan traffic through site B BUT with exceptions
« on: November 20, 2017, 12:03:42 pm »
Hi,

I want to route all my internet traffic through site B, but I have to make some exceptions.

To do this I made a simple S2S Setup - LAN<->0.0.0.0/0 with Traffic Rules to allow the traffic.

At this point I'm able to connect to internet sites with my public IP on site B, but now I need to make an exception for IP 10.20.30.40/32

I though I can do this by simple add a firewall rule on site A and specify the gateway, but this doesn't work - the whole traffic from site A (LAN 2 WAN) get to site B.

Setup:

   WAN - A                                     WAN - B
      |                                               |
      |                     S2S ipsec            |
     FW - Site A         --------       FW - Site B
      |                                               |
    LAN (10.20.30.0/24)                  LAN (10.20.31.0/24)

I also tried to use the usual P2 setting LAN-A <-> LAN-B but add an additional gateway (with property - allow outside interface range on) but this also does not work.

All help is gratefully accepted.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: site-to-site wan traffic through site B BUT with exceptions
« Reply #1 on: December 07, 2017, 07:37:40 am »
You can't make exceptions for IPsec like that. It isn't routed, it uses security policies defined in the kernel. You can't bypass these completely with policy routing because the kernel won't allow the traffic to take a path that doesn't match the security policy.

If you use OpenVPN it would work exactly like you want.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline hege

  • Full Member
  • ***
  • Posts: 110
  • Karma: +4/-0
    • View Profile
Re: site-to-site wan traffic through site B BUT with exceptions
« Reply #2 on: December 07, 2017, 10:12:07 am »
Hi jimp,

thanks for your answer, so if I'm understanding you correctly, this does also mean that I cannot use a additional gateway sided on site B? (the "Use non-local gateway" option)

Unfortunately OpenVPN is not a Option because of the missing support on site-B

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: site-to-site wan traffic through site B BUT with exceptions
« Reply #3 on: December 07, 2017, 10:16:23 am »
Gateways and routing mean nothing to IPsec. Traffic either matches the P2 definition or it doesn't.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!