Last Updated on August 9, 2022 by Thiago Crepaldi
Yeah, I know, I need to work on shorter titles 😀
By reading a previous post, you may have created an IPSec tunnel to connect your home and office (or something like that). That is useful on its own, but it can be the case that you also want that all internet traffic to go through, for the sake of this post, site B.
A valid reason for such setup is due to geographical restrictions or maybe Site B has a static public IP that allows access to restricted resources not available through Site A’s public IP or whatever other cool reason. We can do that by using NAT outbound and some extra tricks.
Similar to this post and this post, we will not send all the traffic from Site A through Site B (although I can write about it if needed). Instead, we will create a new Wi-Fi network on Site A (e.g. SSID Internet_through_SiteB) that routes Internet traffic through site B. The rest of Site A’s network (other than Internet_through_SiteB) routes through its own default gateway. This is a more selective approach that can save bandwidth of both sites!
Site A
Create a new WiFi network
If you have a Unifi Switch, you can create a new WiFi network here. However, if you have a Unifi Dream Machine Pro, this post is the one!
I recommend using a VLAN between 2 and 254, so that we can use VLAN ID as part of the IP octet. For example, given VLANs will be created on 10.0.0.0/24 network, for a VLAN ID 92, we can have 10.92.0.0/24 as the VLAN network, which helps identifying connections in future analysis. Let’ s adopt VLAN 92 for this post!
At this point, you have a new WiFi that doesn’t work due to incomplete VLAN configuration. You can fix this by following this tutorial on how to setup a VLAN on your pfSense. Use the following parameters during this step:
- LAN Address: 10.92.0.1/24
- VLAN ID: 92
- DHCP Range: 10.92.0.100-10.92.100.199
- NTP/DNS server: 10.92.0.1
- Domain name: lan.domain.com
- Gateway: IPSEC_SITES_A_B_VTIV4
- This is the secret to get the traffic passing through Site A
Site B
Create NAT Outbound
We need to allow traffic coming from Site A to perform NAT on Site B side.
Go to Firewall >> NAT >> Outbound and change Outbound NAT Mode to Hybrid Outbound NAT rule generation. This will keep all your existing rules and enable more to be added on top of them! Confirm the selection by clicking Save and Apply changes!
Next, click on Add at the Mappings section and do as follows:
- Edit Advanced Outbound NAT Entry
- Disabled: unchecked
- Do not NAT: unchecked
- Interface: IPSEC_SITES_B_A
- Address Family: IPv4
- Protocol: Any
- Source
- Type: Network
- Source network: 10.92.0.0/24
- Port or range: empty
- Destination
- Type: Any
- Destination network: empty
- Port or range: empty
- Translation
- Address: Interface address
- Port or Range: empty
- Misc
- No XMLRPC Sync: unchecked
- Description: NAT for IPsec tunnel Site A
Press the usual Save and Apply changes buttons.
Create static route to Site A subnet
Navigate to System >> Routing >> Static Routes, click on Add and do as follow:
- Edit Route Entry
- Destination network: 10.92.0.0
- Gateway: Select the IPSec Interface
- Disabled: unchecked
- Description: IPSec Route to Site A subnet
The usual Save and Apply changes completes configuration on site A.
Verifying things…
That is it. Go to Site A, connect to WiFi network and visit myip.com to verify the IP being used is the one belonging to Site B gateway!
References
- https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-route-internet-traffic.html#configure-outbound-nat
- https://pfsense-docs.readthedocs.io/en/latest/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html#configure-outbound-nat