Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Incoming VPN connections not working

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @michmoor
      last edited by

      @michmoor said in Incoming VPN connections not working:

      I recently had to swap out my ATT gateway. When connecting the new ATT router to my pfsense it picked up a LAN address of 192.168.1.65. Internet works no issue

      Connecting a router (ATT gateway or ATT router) on a pfSense LAN port ? Why do you need a router behind a router ?

      The ATT got the 192.168.1.65 from pfSense ?

      VPN : VPN clients ? Running on the ATT ? pfSense ?

      Read the intro several times, and I've still doubt about the "what is connected to what in what order".

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @Gertjan
        last edited by

        @Gertjan
        ??
        The att gateway is on the WAN port of pfsense.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @michmoor
          last edited by Gertjan

          @michmoor

          If the ATT is in front of pfSense, then the WAN of pfSense became "192.168.1.65" then how can this be :

          @michmoor said in Incoming VPN connections not working:

          PFsense has a public IP now

          edit : (coffee starts having effect) :

          @michmoor said in Incoming VPN connections not working:

          I went ahead and switched to IP Passthrough

          You've put the Att in "IP Passthrough" mode.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            So was the AT&T gateway using the 192.168.1.X subnet before you put it in pass-through mode?

            It seems likely to be a stale state from that.

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @stephenw10
              last edited by

              @stephenw10
              That’s exactly it. I received an IP from the ATT gateway prior to enabling pass through.
              What I don’t understand is why pfsense was still actively creating state for the 192.168.1 after it got the public WAN IP.
              I can understand the ATT router still believing that my pfsense had the private IP it gave out(blame it on stale info) but I don’t understand why pfsense was creating new state for an IP it no longer has

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by stephenw10

                Yup that does seem unexpected. The AT&T gateway must still be handling that traffic even though it's now in pass-through mode.
                If the state still exists pfSense will try to use it.

                M 1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @stephenw10
                  last edited by

                  @stephenw10
                  That’s the bit I’m confused about.
                  Pfsense will still create NEW state for an IP it doesn’t own(even though it once did) ?

                  So in my case I saw my wireguard peer kept attempting to initiate a handshake but in the state table it was to the 192.168.1. Address that pfsense had. I delete that state and I will see new state for it a few moments later.

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Are you sure the state didn't still exist? Did the source port remain the same for example?

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance @stephenw10
                      last edited by

                      @stephenw10
                      Right now I can’t say for certain.
                      I used Diagnostic > States and used the option to kill all states matched by the filter.
                      I want to say it kept seeing new states 10s after the fact. Hard to conclude now :(

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Yeah sometimes that will fail to kill states because it can filter the display by somethings that cannot be applied to the kill command. I always recommend immediately refiltering to be sure the states are actually gone. If the random source port or translated source port remains the same that's a pretty good sign the state remains.

                        M 1 Reply Last reply Reply Quote 1
                        • M
                          michmoor LAYER 8 Rebel Alliance @stephenw10
                          last edited by

                          @stephenw10
                          Gotcha. So in the future you’re saying I should do a filter reload?

                          Firewall: NetGate,Palo Alto-VM,Juniper SRX
                          Routing: Juniper, Arista, Cisco
                          Switching: Juniper, Arista, Cisco
                          Wireless: Unifi, Aruba IAP
                          JNCIP,CCNP Enterprise

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Nope filter-reload doesn't clear existing states.

                            I'm saying if you use the kill states button in the state table page you should refresh the table afterwards to be sure the states were actually killed.

                            If you use the trash-can icon next to each states it kills by state ID which should always work.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.