Remote syslog using WAN interface.
-
Syslog remote logging is using WAN as source interface to send traffic to a syslog server that is behind and IPSEC tunnel. Has anyone seen such behavior before?
IPSEC tunnel is running as expected with devices communicating on each side without problems.
-
If it's a policy based tunnel it won't match the defined traffic selectors unless it's sourced from the internal interface address.
There is a (pretty hacky) workaround but a better solution would be to use a route based IPSec tunnel.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html
-
@stephenw10 said in Remote syslog using WAN interface.:
If it's a policy based tunnel it won't match the defined traffic selectors unless it's sourced from the internal interface address.
There is a (pretty hacky) workaround but a better solution would be to use a route based IPSec tunnel.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html
It is a policy based tunnel which worked for years on 2.6 and 2.7 code.
Syslog is sourced from a VLAN address and it worked until the upgade. -
Upgrade to 2.8?
How do you have the source address set?
You might also be hitting the state policy change in 2.8:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#config-advanced-firewall-state-policy-historyYou can try setting that back to floating.
-
@dersini said in Remote syslog using WAN interface.:
@stephenw10 said in Remote syslog using WAN interface.:
If it's a policy based tunnel it won't match the defined traffic selectors unless it's sourced from the internal interface address.
There is a (pretty hacky) workaround but a better solution would be to use a route based IPSec tunnel.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html
It is a policy based tunnel which worked for years on 2.6 and 2.7 code.
Syslog is sourced from a VLAN address and it worked until the upgade.Upgraded to 2.8 two days ago.
Source interface is set Under Status>System Logs>Settings.Changing to float state policy still results in syslog UDP packets being sent out of WAN interface to a private IP address behind the IPSEC tunnel.
Thanks for taking interest in this post.
-
Ah, OK.
Check the state table. How does that traffic appear? Is it actually binding to the correct address?
-
@stephenw10 said in Remote syslog using WAN interface.:
Ah, OK.
Check the state table. How does that traffic appear? Is it actually binding to the correct address?
State table shows syslogd binding to the WAN address.
I tested with NTP and it does bind to the interface configured in WebUI. Also communicates via IPSEC to configured NTP server without any issues.
-
Ok replicated that in 2.8. Digging...
-
This is fixed upstream already. Will be in new builds soon.
https://github.com/pfsense/FreeBSD-src/commit/ae4f708f0b383277505daa191e21db399b558839
-
@stephenw10 said in Remote syslog using WAN interface.:
This is fixed upstream already. Will be in new builds soon.
https://github.com/pfsense/FreeBSD-src/commit/ae4f708f0b383277505daa191e21db399b558839
Thanks.
I just tried syslog-ng and it behaves exactly the same. -
In the mean time that local gateway workaround should work if you can't switch to a route based tunnel.
-
@stephenw10 said in Remote syslog using WAN interface.:
In the mean time that local gateway workaround should work if you can't switch to a route based tunnel.
Working on setting up VTI.
Thanks,
-
@stephenw10 said in Remote syslog using WAN interface.:
In the mean time that local gateway workaround should work if you can't switch to a route based tunnel.
VTI resolved the issue.
Thanks again.
