Routing Internet Traffic Through a Site-to-Site IPsec Tunnel¶
It is possible to use IPsec on a firewall running pfSense® software to send Internet traffic from a remote site such that it appears to be coming from another location. This may be needed if a vendor requires that connections originate from a specific address.
The basis of this tunnel is a working site-to-site IPsec VPN as described in IPsec Site-to-Site VPN Example with Pre-Shared Keys. Refer to that recipe for detailed instructions. Only the differences from that recipe will be mentioned here.
As a reminder, this example uses two sites:
Site A is the main site. The Internet traffic will exit this location.
Site B is a remote office with LAN subnet
10.5.0.0/24. This is the source of local traffic which will traverse the tunnel and reach the Internet through site A.
The only differences from tunnel in IPsec Site-to-Site VPN Example with Pre-Shared Keys are:
- Site A, phase 2
- Local Network
- Site B, phase 2
- Remote Network
This will cause the firewall to send all traffic from the LAN through the IPsec tunnel to the remote end of the tunnel.
Allow IPsec traffic through the firewall¶
Since this tunnel must pass traffic from the Internet, the firewall rules must
be fairly lenient. The rules on site A will need to pass traffic from a source
of the site B LAN (
10.5.0.0/24) to a destination of any.
To prevent site B from reaching sensitive local resources at site A or sites connected to additional VPNs, place block rules above the rule passing the Internet traffic.
The rules at site B do not necessarily have to allow much traffic back through unless there are public resources at site B which will be reached across the tunnel (e.g. 1:1 NAT, port forwards).
Configure outbound NAT¶
For site B to reach the Internet, site A must perform outbound NAT on the
traffic from the site B LAN (
10.5.0.0/24) as it leaves the WAN.
To do this, first change the outbound NAT mode on the site A firewall:
Navigate to Firewall > NAT, Outbound tab
Set the Outbound NAT Mode to Hybrid Outbound NAT
If site A is already on this mode or set to Manual, then do not change the mode.
Using this mode will allow the default automatic NAT rules to continue working without needing a full manual ruleset. Now add a custom rule to the top of the list which will match site B:
Set the following values:
- Translation Address
NAT for IPsec tunnel Site B
Click Apply changes.
The new entry is now in the outbound NAT rule list.
At this point site B will have a working Internet connection through the IPsec tunnel and the Internet provider at site A. Any Internet traffic from site B will look as if it were coming from site A.