OPNsense Forum

English Forums => Virtual private networks => Topic started by: forrestexplorer on May 28, 2023, 11:04:49 am

Title: Routing Vlan subnet over IPSEC (Opnsense) to Fortigate to Internet
Post by: forrestexplorer on May 28, 2023, 11:04:49 am

Hello everyone!

I got a question that I can't seem to find a clear answer in the OPNSense documentation or posts similar to this question. I have an OPNSense  Firewall over at my parents place and I created a guest subnet so when they have repair techs over that need internet we can give them a password to allow them on a locked down network. This is so if they need to look for a part, order a part they can do so without delay. However, I just don't want to open it to wide open to the internet because simply we don't know the techs that come in.

So the guest vlan is 172.16.54.0/24. I want to route it over IPsec tunnel over to my Fortigate at my house where it hits the web filter and goes out to the internet.

Parents House - 172.16.54.0/24 ->OPNSense  ---- > IPSEC ----> Fortigate (My place) ---Web filter on FG--->Internet

I got the tunnel built but when I made the phase 2 policy I did local network> 172.16.54.0/24  Remote Network> 0.0.0.0/0. Well when I did that I literally locked myself of the parents router while bringing down their entire Internet. I just got it back up and at this point I am just kind of lost how to set it up on OPNSense. I looked through the documentation, various forum posts and I can't find exactly a solution to my issue.

To give more Information about the Guest Wifi

Default Gateway: 172.16.54.1
DHCP: 172.16.54.2 - 172.16.54.252
DNS: 1.1.1.1 9.9.9.9


IPSEC Phase 2
Local Network: 172.16.54.0/24
Remote: 0.0.0.0/0
AES 256
SHA256
Lifetime: 3600

The type of IPsec I believe I was doing was policy based on OPNSense side. I just know when I put in 0.0.0.0/0, it didn't just tell that subnet to go over the tunnel, it routed everything across it. In a way it makes sense, but I know on Fortigate we have been able to use 0.0.0.0/0.0.0.0 to be able to all traffic routed in that phase 2. Lets just say I feel embarrassed by that mistake because I had a odd feeling 0.0.0.0/0 wasn't the same as 0.0.0.0/0.0.0.0 but I just didn't know how else to enter it in OPNSense. If anyone can help me or just give me a direction -- I greatly appreciate it. I am just leery of recreating that Phase 2 again in locking myself out. I really do appreciate any help.

Thank you,
Forrest Explorer