Outgoing internet traffic out IPSEC tunnel
-
I have a IPSEC site to site tunnel (pfsense to pfsense) that routes all internet traffic to the other pfsense firewall.
That works fine. However I also have port forwarding setup on the firewall which channels all the WAN traffic out the IPSEC tunnel, but that seems to have stopped working when I enable the VPN tunnel.
I presume pfsense does not send the traffic back out of the original interface it came from but instead, is trying to route the answer over the IPSEC tunnel.
If there a away around this?
-
@shanev said in Outgoing internet traffic out IPSEC tunnel:
However I also have port forwarding setup on the firewall which channels all the WAN traffic out the IPSEC tunnel
From WAN to an internal local device?
If so, ensure that there is a pass rule on the WAN interface which matches the forwarded traffic.
If not, provide some more details. -
@viragomann said in Outgoing internet traffic out IPSEC tunnel:
@shanev said in Outgoing internet traffic out IPSEC tunnel:
However I also have port forwarding setup on the firewall which channels all the WAN traffic out the IPSEC tunnel
From WAN to an internal local device?
If so, ensure that there is a pass rule on the WAN interface which matches the forwarded traffic.
If not, provide some more details.Hi,
So WAN 443 => internal LAN device (rdweb server).
Then IPSEC tunnel between firewall with port forwarding to another pfsense which only has one network card for internet. This part works fine.
There is a pass rule. It works just fine. Only when I enable the ipsec tunnel the port forwarding stops working.
-
@shanev said in Outgoing internet traffic out IPSEC tunnel:
So WAN 443 => internal LAN device (rdweb server).
The question is if there is a pass rule on the WAN tab which matches this traffic.
It does not work if a floating rule or one on an interface group is permitting the forwarded traffic to the LAN device. Do you have any floating rules or interface groups?However, not sure if this even works at all if the IPSec remote endpoint is the default route.
-
@viragomann said in Outgoing internet traffic out IPSEC tunnel:
@shanev said in Outgoing internet traffic out IPSEC tunnel:
So WAN 443 => internal LAN device (rdweb server).
The question is if there is a pass rule on the WAN tab which matches this traffic.
It does not work if a floating rule or one on an interface group is permitting the forwarded traffic to the LAN device. Do you have any floating rules or interface groups?However, not sure if this even works at all if the IPSec remote endpoint is the default route.
There are no floating rules and yes there is a pass rule on the WAN. Like I said it works just fine without the ipsec tunnel.
Is there no way make pfsense route it's traffic the exact way it came from (when external)?
-
@shanev said in Outgoing internet traffic out IPSEC tunnel:
There are no floating rules and yes there is a pass rule on the WAN. Like I said it works just fine without the ipsec tunnel.
The rule is responsible for the proper routing here, therefor I'm asking holes. To ensure that the rule is applied, enable its logging and check the firewall log.
What pfSense version are you on?