Seems solved, we were missing a NAT rule for the IPSec subnet, squid handling via NAT will be looked at later ;-)
Am 08.02.2012 um 12:32 schrieb "Fuchs, Martin" <[email protected]>: > Hi again ! > > Now we have established a tunnel with our mobile ISP. > The tunnel config is as follows: > > Local subnet: 0.0.0.0/0 and the remote subnet is 172.17.5.0/24 > The intention is that ALL traffic from the mobile device is routed thru our > pfSense. > Traffic to our local subnets 10.x.x.x works fine, but traffic to WAN > (anything except 10.x.x.x) does not work. > It seems to me as there is missing a route, because how should the tunnel > device (mobile device) know where to route the rest of the traffic (except > 10.x.x.x) ? > But can I only add a route for physical devices or does pfSense automatically > know the routing ? > The tunnel is established over IPSec... > > (mobile) --- (CDA-Provider) --- (tunnel) --- (pfSense) --- WAN > > Now the question is how to pass the traffic from the mobile device thru the > pfSense to WAN and back ? > > I simply do not get it working :-( > > I'm happy for any ideas... > > Regards, > > Martin > > > -----Ursprüngliche Nachricht----- > Von: [email protected] [mailto:[email protected]] > Im Auftrag von Fuchs, Martin > Gesendet: Freitag, 3. Februar 2012 16:34 > An: pfSense support and discussion > Betreff: Re: [pfSense] squid over ipsec dial-in > > Hi ! > > I'l have to wait now until Wednesday when our ISP will establish the IPSec > tunnel and then we'll try further ;-) > > Thanks so far, > > Martin > > -----Ursprüngliche Nachricht----- > Von: [email protected] [mailto:[email protected]] > Im Auftrag von Jim Pingle > Gesendet: Donnerstag, 2. Februar 2012 17:12 > An: pfSense support and discussion > Betreff: Re: [pfSense] squid over ipsec dial-in > > On 2/2/2012 10:32 AM, Fuchs, Martin wrote: >> For OpenVPN you mean assign the OpenVPN as a interface under interfaces -> >> assign ? >> Sounds reasonable... > > Yep. When it's assigned there you can do NAT (inbound or out) and even listen > on the interface. > >> But how would I do such a port forward inbound ? >> I tried to setup a NAT rule "from IPSec to any dst tcp 80 forward to >> 127.0.0.1:3128" but it seemed it did not work (but perhaps I missed sth...) >> But that would be the right way, correct ? > > Sounds about right. I've never tried that so I didn't know if it would work, > but I suspected it wouldn't given the history of IPsec+NAT. > > Jim > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
