IPsec Tunnel wont route to internet

Boatyardjunkie

Currently we have pfSense devices at both of our offices (A and B). A is our main office where our staff work out of along with all of our internal servers that are not in the cloud and B is a work space that doesn't get used much. A few computers, 1 server, and mostly just empty desks.

About a month ago our modem died at office B. The ISP sent us a new modem that is a bit strange because it doesn't support bridge mode so I setup DMZ Host to point to the pfSense device along with updated the tunnel information on both ends to the new IP address that they assigned the device. The IPsec tunnel comes up with both phase 2 connections as well. We are able to connect to all of the devices on both sides of the tunnel.

Issue: Since this happened devices at office B can not reach the internet. Only internal devices and devices on the other side of the tunnel. Trying to reach services outside of the network such as Facebook Youtube are all unavailable.

I like to think I am decent at pfSense for the small environment we have but this has me stumped. Is there a refresh or something I am missing if you change the IP address of the remote office?

viragomann

@Boatyardjunkie
I don't expect that this has something to do with the IPSec Connection.
So if you disable IPSec, does it behave the same way?

Does pfSense pull its WAN IP via DHCP?
If not, is the modem internal IP set properly as the upstream gateway in the WAN interface settings?

Is the gateway shown as online in Status > Gateways?

Is the outbound NAT in automatic mode?

BTW: If you need incoming connections at B and you have forwards on the modem, you need to remove the "block private networks" check in the WAN settings.

Gblenn

@viragomann said in IPsec Tunnel wont route to internet:

BTW: If you need incoming connections at B and you have forwards on the modem, you need to remove the "block private networks" check in the WAN settings.

My experience is that you do NOT have to remove the blocking of private networks in order to access services from the outside. I have tested to forward the specific ports as well as activating "DMZ" on the router in question (all ports open). I have this setup at two separate locations, both with LTE Routers as failover (2.7.2 as well as 24.09).

Does this mean that this function doesn't work? Or is it so that it allows traffic from the gateway it's connected to, and blocks other... I don't know, but perhaps something to test...

Gblenn

@Gblenn So I connected my PC on the WAN side between the LTE Router and pfsense and did a quick test trying to run iperf3 via the failover WAN and .

And the attempts are showing up in the firewall log as being blocked,
Block private networks from WAN2 block 192.168/16 (12009).

Meaning that pfsense is smart enough to accept incoming requests from the gateway IP, but blocks any other private IP's.

viragomann

@Gblenn
Yes, removing the check from "don't block private networks" should not really be necessary normally. It's only required if the router in front of pfSense does masquerading on forwarded traffic.
Some consumer router do this, however.

Gblenn

@viragomann Hmm, is that common? I only have two routers in this case that I can test, and they don't do masquerading...