Incoming VPN connections not working
-
@michmoor said in Incoming VPN connections not working:
I recently had to swap out my ATT gateway. When connecting the new ATT router to my pfsense it picked up a LAN address of 192.168.1.65. Internet works no issue
Connecting a router (ATT gateway or ATT router) on a pfSense LAN port ? Why do you need a router behind a router ?
The ATT got the 192.168.1.65 from pfSense ?
VPN : VPN clients ? Running on the ATT ? pfSense ?
Read the intro several times, and I've still doubt about the "what is connected to what in what order".
-
@Gertjan
??
The att gateway is on the WAN port of pfsense. -
If the ATT is in front of pfSense, then the WAN of pfSense became "192.168.1.65" then how can this be :
@michmoor said in Incoming VPN connections not working:
PFsense has a public IP now
edit : (coffee starts having effect) :
@michmoor said in Incoming VPN connections not working:
I went ahead and switched to IP Passthrough
You've put the Att in "IP Passthrough" mode.
-
So was the AT&T gateway using the 192.168.1.X subnet before you put it in pass-through mode?
It seems likely to be a stale state from that.
-
@stephenw10
That’s exactly it. I received an IP from the ATT gateway prior to enabling pass through.
What I don’t understand is why pfsense was still actively creating state for the 192.168.1 after it got the public WAN IP.
I can understand the ATT router still believing that my pfsense had the private IP it gave out(blame it on stale info) but I don’t understand why pfsense was creating new state for an IP it no longer has -
Yup that does seem unexpected. The AT&T gateway must still be handling that traffic even though it's now in pass-through mode.
If the state still exists pfSense will try to use it. -
@stephenw10
That’s the bit I’m confused about.
Pfsense will still create NEW state for an IP it doesn’t own(even though it once did) ?So in my case I saw my wireguard peer kept attempting to initiate a handshake but in the state table it was to the 192.168.1. Address that pfsense had. I delete that state and I will see new state for it a few moments later.
-
Are you sure the state didn't still exist? Did the source port remain the same for example?
-
@stephenw10
Right now I can’t say for certain.
I used Diagnostic > States and used the option to kill all states matched by the filter.
I want to say it kept seeing new states 10s after the fact. Hard to conclude now :( -
Yeah sometimes that will fail to kill states because it can filter the display by somethings that cannot be applied to the kill command. I always recommend immediately refiltering to be sure the states are actually gone. If the random source port or translated source port remains the same that's a pretty good sign the state remains.
-
@stephenw10
Gotcha. So in the future you’re saying I should do a filter reload? -
Nope filter-reload doesn't clear existing states.
I'm saying if you use the kill states button in the state table page you should refresh the table afterwards to be sure the states were actually killed.
If you use the trash-can icon next to each states it kills by state ID which should always work.
