The pfSense Store

Author Topic: Static route to overlapping IPSEC subnet  (Read 115 times)

0 Members and 1 Guest are viewing this topic.

Offline Fred9176

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Static route to overlapping IPSEC subnet
« on: December 21, 2017, 09:53:48 am »
Hello,

I have a working instance of pfSense 2.4.2 with the following setup :

- LAN is on 10.1.1.0/24 (pfsense is 10.1.1.244)
- I have an IPSEC tunnel though WAN with remote subnet 192.168.0.0/16 which works fine
- The LAN network has an other router on 10.1.1.254

I need to access a network through this second router. This network is 192.168.1.0/24 (overlapping with IPSec remote subnet).

On a server in the LAN network (with default gateway set to pfsense (10.1.1.244)), if I add a route to 192.168.1.0/24 via 10.1.1.254 (other router), it works fine.

But when I add this static route in pfSense, I can't access this subnetwork. It seems, looking in Diagnostic/States that it sends packets though the IPSec interface instead of LAN.

I also tried to specify a gateway in firewall rules for this subnet without success.

Is there any way to achieve this setup ?

Thank you very much for your help.

Regards,

Fred

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9583
  • Karma: +1084/-309
    • View Profile
Re: Static route to overlapping IPSEC subnet
« Reply #1 on: December 21, 2017, 12:00:46 pm »
It might work if you use policy-based routing for the 192.168.1.0/24 destination on the LAN interface, bypassing IPsec.

It's a big might.

It sounds like you tried that though. You might want to post what you've tried because, at a minimum, that should at least send the traffic out the correct gateway instead of IPsec.

That's why it is not recommended you configure large swaths of space like 192.168.0.0/16 anywhere. Running into conflicts with other sites is pretty much inevitable when you do that.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM