Hello!
I'm trying to make some internet traffic go via IPSec tunnel instead of sending it directly to the internet. Here's a diagram of my networks:
I'll omit
192.168. to keep it simple. Router
4.1 is DFL-210, router
2.1 is DFL-800.
There's no connectivity problem between networks 4.0/24 and 2.0/24: all ICMP TCP and UDP traffic goes ok. Network
4.0/24 uses
Provider 1 to access the internet, network
2.0/24 uses
Provider 2. IPSec tunnel is made via the internet.
What I am trying to achieve is to make traffic from net
4.0/24 to some host (e.g.
8.8.8.8) go to
Provider 2 instead of
Provider 1.
On
4.1 i've made the following:
– Route: Interface
IPSec, network
8.8.8.8, gateway:
192.168.2.1, with metric lower than others
– IP Rule:
Allow from
lan/lannet to
IPSec/all-nets traffic
all_tcpudpicmp, below Allow rules for local IPSec traffic.
On
2.1 i've made the following:
– IP Rule:
NAT from
IPSec/IPSec-net to
wan1/all-nets traffic
all_tcpudpicmp;
IPSec-net here is
192.168.4.0/24. The rule is similar to one used to access the internet from network
2.0/24What I got:
If I try to ping 8.8.8.8 from my host in 4.0/24 network (it is 192.168.4.65), ping fails. I see my Allow rule works on 4.1, but I see completely nothing at 2.1. If i try to ping 192.168.2.30 (some online host in 2.0/24), everything works ok, like before. Access from
4.0/24 to other internet hosts is not affected, everything works ok, apart from 8.8.8.8.
What am I doing wrong?
Thanks in advance!
Author
Topic: DFL-800: Route internet traffic via IPSec instead of directly to the internet (Read 4936 times)