Internet Access for a Remote Network

This section describes minimal routing and NAT settings which provide access to the Internet for one of the remote networks. In this scenario the remote network is Peer 1 that exchanges routing information with TNSR via BGP.

This section assumes that devices have a working IPsec configuration, as described in Site-to-Site IPsec Access Between Local and Remote Networks, and are able to reach each other via IPsec tunnel using path information from BGP.

TNSR

No additional configuration is necessary on TNSR, the TNSR Basic NAT Configuration is sufficient.

Peer 1 Policy Route

Routing

Set up access to the internet via IPsec VTI interface with a policy-based routing rule.

  • Navigate to Firewall > Rules

  • Create (or modify existing default pass ipv4 LAN any) rule:

    • Set Address Family to IPv4

    • Set Protocol to ANY

    • Set Source to LAN net

    • Set Destination to ANY

    • Click Display Advanced

    • Set Gateway to <IPsec interface name>_VTIV4

    • Click Save

Note

VTI on pfSense software does not support reply-to. Despite this policy routing rule on Peer1 which covers all traffic, there must also be kernel routes to remote LANs for the return traffic to find the way back.