Routing Internet Traffic Through a Site-to-Site IPsec Tunnel

It is possible to use IPsec on a firewall running pfSense® software to send Internet traffic from a remote site such that it appears to be coming from another location. This may be needed if a vendor requires that connections originate from a specific address.

The basis of this tunnel is a working site-to-site IPsec VPN as described in IPsec Site-to-Site VPN Example with Pre-Shared Keys. Refer to that recipe for detailed instructions. Only the differences from that recipe will be mentioned here.

As a reminder, this example uses two sites:

  • Site A is the main site. The Internet traffic will exit this location.

  • Site B is a remote office with LAN subnet 10.5.0.0/24. This is the source of local traffic which will traverse the tunnel and reach the Internet through site A.

The only differences from tunnel in IPsec Site-to-Site VPN Example with Pre-Shared Keys are:

Site A, phase 2
Local Network

0.0.0.0/0

Site B, phase 2
Remote Network

0.0.0.0/0

This will cause the firewall to send all traffic from the LAN through the IPsec tunnel to the remote end of the tunnel.

Allow IPsec traffic through the firewall

Since this tunnel must pass traffic from the Internet, the firewall rules must be fairly lenient. The rules on site A will need to pass traffic from a source of the site B LAN (10.5.0.0/24) to a destination of any.

Tip

To prevent site B from reaching sensitive local resources at site A or sites connected to additional VPNs, place block rules above the rule passing the Internet traffic.

The rules at site B do not necessarily have to allow much traffic back through unless there are public resources at site B which will be reached across the tunnel (e.g. 1:1 NAT, port forwards).

Configure outbound NAT

For site B to reach the Internet, site A must perform outbound NAT on the traffic from the site B LAN (10.5.0.0/24) as it leaves the WAN.

To do this, first change the outbound NAT mode on the site A firewall:

  • Navigate to Firewall > NAT, Outbound tab

  • Set the Outbound NAT Mode to Hybrid Outbound NAT

    Note

    If site A is already on this mode or set to Manual, then do not change the mode.

  • Click Save

Using this mode will allow the default automatic NAT rules to continue working without needing a full manual ruleset. Now add a custom rule to the top of the list which will match site B:

  • Click fa-level-up Add

  • Set the following values:

    Source

    Network, 10.5.0.0/24

    Destination

    Any

    Translation Address

    Interface Address

    Description

    NAT for IPsec tunnel Site B

  • Click Save

  • Click Apply changes.

The new entry is now in the outbound NAT rule list.

At this point site B will have a working Internet connection through the IPsec tunnel and the Internet provider at site A. Any Internet traffic from site B will look as if it were coming from site A.