Remote syslog using WAN interface.

stephenw10

If it's a policy based tunnel it won't match the defined traffic selectors unless it's sourced from the internal interface address.

There is a (pretty hacky) workaround but a better solution would be to use a route based IPSec tunnel.

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html

dersini

@stephenw10 said in Remote syslog using WAN interface.:

If it's a policy based tunnel it won't match the defined traffic selectors unless it's sourced from the internal interface address.

There is a (pretty hacky) workaround but a better solution would be to use a route based IPSec tunnel.

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html

It is a policy based tunnel which worked for years on 2.6 and 2.7 code.
Syslog is sourced from a VLAN address and it worked until the upgade.

stephenw10

Upgrade to 2.8?

How do you have the source address set?

You might also be hitting the state policy change in 2.8:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#config-advanced-firewall-state-policy-history

You can try setting that back to floating.

dersini

@dersini said in Remote syslog using WAN interface.:

@stephenw10 said in Remote syslog using WAN interface.:

If it's a policy based tunnel it won't match the defined traffic selectors unless it's sourced from the internal interface address.

There is a (pretty hacky) workaround but a better solution would be to use a route based IPSec tunnel.

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html

It is a policy based tunnel which worked for years on 2.6 and 2.7 code.
Syslog is sourced from a VLAN address and it worked until the upgade.

Upgraded to 2.8 two days ago.
Source interface is set Under Status>System Logs>Settings.

Changing to float state policy still results in syslog UDP packets being sent out of WAN interface to a private IP address behind the IPSEC tunnel.

Thanks for taking interest in this post.

stephenw10

Ah, OK.

Check the state table. How does that traffic appear? Is it actually binding to the correct address?

dersini

@stephenw10 said in Remote syslog using WAN interface.:

Ah, OK.

Check the state table. How does that traffic appear? Is it actually binding to the correct address?

State table shows syslogd binding to the WAN address.

I tested with NTP and it does bind to the interface configured in WebUI. Also communicates via IPSEC to configured NTP server without any issues.

stephenw10

Ok replicated that in 2.8. Digging...

https://redmine.pfsense.org/issues/16285

stephenw10

This is fixed upstream already. Will be in new builds soon.

https://github.com/pfsense/FreeBSD-src/commit/ae4f708f0b383277505daa191e21db399b558839

dersini

@stephenw10 said in Remote syslog using WAN interface.:

This is fixed upstream already. Will be in new builds soon.

https://github.com/pfsense/FreeBSD-src/commit/ae4f708f0b383277505daa191e21db399b558839

Thanks.
I just tried syslog-ng and it behaves exactly the same.

stephenw10

In the mean time that local gateway workaround should work if you can't switch to a route based tunnel.

dersini

@stephenw10 said in Remote syslog using WAN interface.:

In the mean time that local gateway workaround should work if you can't switch to a route based tunnel.

Working on setting up VTI.

Thanks,

dersini

@stephenw10 said in Remote syslog using WAN interface.:

In the mean time that local gateway workaround should work if you can't switch to a route based tunnel.

VTI resolved the issue.

Thanks again.