Feature #9605
closedSupport custom CIDR on IPSEC Auto-Exclude LAN Address
0%
Description
Hi. In my scenario, i have multiple LANs, and all of them need dhcp-relay(Netgate forum example - https://forum.netgate.com/topic/144500/dhcprelay-not-forwarding-on-local-interfaces-if-ipsec-is-connected).
Problem is that, if i declare a 0.0.0.0/0 Remote Network on IPSEC to force each LAN traffic to our main site, the unicast forward of dhcp-relay to the destination Active Directory will be delivered through ipsec. These packages need to be delivered on other interface inside the pfSense box. Proof here is that if i stop ipsec, dhcp-relay starts working again. Needless to say that all related interfaces are selected on dhcp-relay configuration.
We know that is way to blunt to use 0.0.0.0/0 on ipsec, but since those lans inside my pfSense vm are /24, and doing a bypasslan on a /16 scope, all data will be forwarded between local interfaces without using ipsec. Example
lan1 - 10.5.11.0/24 (workstations)
lan2 - 10.5.12.0/24 (voip)
lan3 - 10.5.13.0/24 (servers)
ipsec.conf edited for testing:
conn bypasslan
leftsubnet = 10.5.0.0/16
rightsubnet = 10.5.0.0/16
authby = never
type = passthrough
auto = route
Since "LAN" is hardcoded to lan1, every time the configuration is rebuild, leftsubnet and rightsubnet will be overwriten with "10.5.11.0/24", the very first LAN interface.
After all this sad story, I would like to request a way to make a custom bypasslan connecton inside ipsec Advanced Configuration, or a custom advanced field where i could add this connection block inside ipsec.conf