[pfSense] squid over ipsec dial-in

Fuchs, Martin martin.fuchs at trendchiller.com
Wed Feb 8 06:28:50 EST 2012 

Hi again !

Now we have established a tunnel with our mobile ISP.
The tunnel config is as follows:

Local subnet: 0.0.0.0/0 and the remote subnet is 172.17.5.0/24
The intention is that ALL traffic from the mobile device is routed thru our pfSense.
Traffic to our local subnets 10.x.x.x works fine, but traffic to WAN (anything except 10.x.x.x) does not work.
It seems to me as there is missing a route, because how should the tunnel device (mobile device) know where to route the rest of the traffic (except 10.x.x.x) ?
But can I only add a route for physical devices or does pfSense automatically know the routing ?
The tunnel is established over IPSec...

(mobile) --- (CDA-Provider) --- (tunnel) --- (pfSense) --- WAN

Now the question is how to pass the traffic from the mobile device thru the pfSense to WAN and back ?

I simply do not get it working :-(

I'm happy for any ideas...

Regards,

Martin


-----Ursprüngliche Nachricht-----
Von: list-bounces at lists.pfsense.org [mailto:list-bounces at lists.pfsense.org] Im Auftrag von Fuchs, Martin
Gesendet: Freitag, 3. Februar 2012 16:34
An: pfSense support and discussion
Betreff: Re: [pfSense] squid over ipsec dial-in

Hi !

I'l have to wait now until Wednesday when our ISP will establish the IPSec tunnel and then we'll try further ;-)

Thanks so far,

Martin

-----Ursprüngliche Nachricht-----
Von: list-bounces at lists.pfsense.org [mailto:list-bounces at lists.pfsense.org] Im Auftrag von Jim Pingle
Gesendet: Donnerstag, 2. Februar 2012 17:12
An: pfSense support and discussion
Betreff: Re: [pfSense] squid over ipsec dial-in

On 2/2/2012 10:32 AM, Fuchs, Martin wrote:
> For OpenVPN you mean assign the OpenVPN as a interface under interfaces -> assign ?
> Sounds reasonable...

Yep. When it's assigned there you can do NAT (inbound or out) and even listen on the interface.

> But how would I do such a port forward inbound ?
> I tried to setup a NAT rule "from IPSec to any dst tcp 80 forward to 
> 127.0.0.1:3128" but it seemed it did not work (but perhaps I missed sth...) But that would be the right way, correct ?

Sounds about right. I've never tried that so I didn't know if it would work, but I suspected it wouldn't given the history of IPsec+NAT.

Jim
_______________________________________________
List mailing list
List at lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

_______________________________________________
List mailing list
List at lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

More information about the List mailing list