I'd do the same as Bill described.
But regardless, in the diagram you provided, you don't need or want a
default route on your LAN to accomplish this. You don't need any routes
on the VPN pfsense box, and on the primary at both sites you would need
routes pointing the remote VPN subnet to the LAN IP of the VPN pfsense
box.
This will generate an ICMP redirect for VPN-bound packets, though after
the first the sending host should remember it for a while, so it isn't
going to be sending one redirect per packet. Sending ICMP redirects
isn't pretty, but it generally isn't going to cause you problems,
especially in a limited situation like this.
Ideally, I'd do what Bill described, since the routing is much nicer,
and the filtering capabilities are much better.
Bill Marquette wrote:
I know this doesn't answer your question and I'm not trying to, but
I'd like to offer my opinion FWIW. I'd attach the LAN leg from your
pfSense VPN boxes (machine 2 in each location) to a third leg on the
Internet firewall in each location and static route out it. Sending
ICMP redirects from the primary gateway telling clients to use a
different gateway tends to be somewhat problematic.
--Bill
On 1/23/06, David Strout <[EMAIL PROTECTED]> wrote:
Here is a quick visual of what I have in a coulpe of locations .......
Let me know if it comes through.
--
David L. Strout
Engineering Systems Plus, LLC
----- Original Message -----
Subject: Re: [pfSense Support] default gateway on LAN ???
From: [EMAIL PROTECTED]
To: [email protected]
Date: 01-23-2006 4:36 pm
David Strout wrote:
I have a ? / feature request. If pfS IS NOT the default GW on the LAN
then I suppose that the only way to direct all traffic out the
"REAL/PRIMARY" GW is to enter a static route for the LAN subnet to an
alternate IP address (that of the default GW for the LAN).
I believe you can enter a route with destination 0.0.0.0/0, which is the
same as your default route. Mind you, that will override your WAN's
default gateway (or they might fight with each other and really screw
stuff up, depending on the situation).
I think that this would be a real nice feature addition for those who
are adding pfS to their already existing LAN, for say a dedicated test
platform, or dedicated VPN concentrator .... or a plethora of other
reasons.
in that type of situation, you either need your pfsense WAN interface
connected to your LAN (hence the default gateway will be correct), or if
you have public IP's to spare, the LAN interface can be on your LAN, and
the WAN on the Internet, and you would still not need any static routes
unless your LAN contains subnets other than the primary LAN subnet.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
