Netgate SG-1000 microFirewall

Author Topic: site-to-site wan traffic through site B BUT with exceptions  (Read 300 times)

0 Members and 1 Guest are viewing this topic.

Offline hege

  • Full Member
  • ***
  • Posts: 111
  • Karma: +4/-0
    • View Profile
site-to-site wan traffic through site B BUT with exceptions
« on: November 20, 2017, 12:03:42 pm »
Hi,

I want to route all my internet traffic through site B, but I have to make some exceptions.

To do this I made a simple S2S Setup - LAN<->0.0.0.0/0 with Traffic Rules to allow the traffic.

At this point I'm able to connect to internet sites with my public IP on site B, but now I need to make an exception for IP 10.20.30.40/32

I though I can do this by simple add a firewall rule on site A and specify the gateway, but this doesn't work - the whole traffic from site A (LAN 2 WAN) get to site B.

Setup:

   WAN - A                                     WAN - B
      |                                               |
      |                     S2S ipsec            |
     FW - Site A         --------       FW - Site B
      |                                               |
    LAN (10.20.30.0/24)                  LAN (10.20.31.0/24)

I also tried to use the usual P2 setting LAN-A <-> LAN-B but add an additional gateway (with property - allow outside interface range on) but this also does not work.

All help is gratefully accepted.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: site-to-site wan traffic through site B BUT with exceptions
« Reply #1 on: December 07, 2017, 07:37:40 am »
You can't make exceptions for IPsec like that. It isn't routed, it uses security policies defined in the kernel. You can't bypass these completely with policy routing because the kernel won't allow the traffic to take a path that doesn't match the security policy.

If you use OpenVPN it would work exactly like you want.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline hege

  • Full Member
  • ***
  • Posts: 111
  • Karma: +4/-0
    • View Profile
Re: site-to-site wan traffic through site B BUT with exceptions
« Reply #2 on: December 07, 2017, 10:12:07 am »
Hi jimp,

thanks for your answer, so if I'm understanding you correctly, this does also mean that I cannot use a additional gateway sided on site B? (the "Use non-local gateway" option)

Unfortunately OpenVPN is not a Option because of the missing support on site-B

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: site-to-site wan traffic through site B BUT with exceptions
« Reply #3 on: December 07, 2017, 10:16:23 am »
Gateways and routing mean nothing to IPsec. Traffic either matches the P2 definition or it doesn't.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15187
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: site-to-site wan traffic through site B BUT with exceptions
« Reply #4 on: December 18, 2017, 07:26:12 am »
Quote
OpenVPN is not a Option because of the missing support on site-B

Why not just update site B then - say put in a pfsense box.. Problem solved.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline hege

  • Full Member
  • ***
  • Posts: 111
  • Karma: +4/-0
    • View Profile
Re: site-to-site wan traffic through site B BUT with exceptions
« Reply #5 on: December 18, 2017, 12:30:27 pm »
I think I solved it by myself.

My solution:

IPsec Transport mode between Site A and Site B
GRE Tunnel over the ipsec secured connection
Custom Gateway with custom static routes.