Hi, I have 3 interfaces:
WAN, where clients are connecting. LAN/10.11.0.0/16, this is network where clients get IP address. FILTER/eth2, where all clients traffic are routed here. I have 2 clients, client 1 IP 10.11.0.55 and client 2 IP 10.11.0.56. Here are ip route and iptables rules. ip rule add from 10.11.0.0/16 table FILTER ip route add default dev eth2 table FILTER When client 1 ping 8.8.8.8, I see the traffic go to eth2 interface. But when client 1 ping client 2, I don’t see the traffic go to eth2 interface. How do I force also local network 10.11.0.0/16 traffic to eth2 interface for filtering. Thanks, Loc From: Noel Kuntze Sent: Wednesday, November 29, 2017 10:56 AM To: Loc Nguyen; users@lists.strongswan.org Subject: Re: [strongSwan] Isolate clients and force local network traffic toan interface Hi, I can't tell what exactly you want. You can tell if traffic was protected with ipsec by using the iptables policy match module. You can use a VTI[1], too. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN On 28.11.2017 20:37, Loc Nguyen wrote: > > Hi, > > > > I create an IPsec network 10.11.0.0/16 and using dnsmasq to assign IP > addresses. > > > > I able to route all 10.11.0.0/16 network traffic to an interface. I would > like also route local network 10.11.0.0/16 between client to client to that > interface too. > > > > I can use iptables FORWARD to block client to client. Instead of blocking I > want the traffic to the interface. > > > > Thanks, >