Routing Problems on Lan to Cisco VPN Device.

Mnemic

pfSense 2.0-RC1

I'm in the process of evaluating replacements of a Firebox III, with a pfSense Device, but running into some issues with routing, or maybe its an RDP issue, not sure yet. I'm Not doing any load balancing or anything yet.

Currently my firebox (LAN Default Gateway) Has a number of public IPs (/29) from my T1 ISP, and internal IP of 10.0.0.1
I have a Cisco PIX that I terminate Site-to-Site VPNs on. It has a public IP from my T1 ISP, and an internal IP of 10.0.0.253
Now I have static routes on my firebox that point the appropriate /32 VPN Routes to the 10.0.0.253 device.

I've added a pfSense machine with a new ISP connection, with a new public IP (dc1), and Internal IP of 10.0.0.254 (fxp0) for internet traffic, and plan to keep VPN traffic limited to the T1 PIX.

my pfSense has Two interface NICs, LAN and WAN, not using OPT.
On the pfSense system, I created a new gateway called PIX on the LAN with the Gateway Address 10.0.0.253 (Default is not checked)
I've added the static routes for the VPNs using the PIX gateway (eg: 10.174.98.15/32 is one route)

Testing
So heres where the weird stuff comes in.
On my Test Machine I set the Default Gateway to pfSense (10.0.0.254)
I try to RDP to the 10.174.98.15 machine, and it comes up, but every 30 seconds or so it Drops the connection, and then re-establishes the connection after about 15 seconds.

In the Firewall Log, I see a Deny Entry for 3389 (RDP) Fairly often, Clicking the red X in the 1st column yields:
–-
The rule that triggered this action is:

@1 scrub in on fxp0 all fragment reassemble
@1 block drop in log all label "Default deny rule"

Now I can't find a "Default Deny rule", but I tried making an Easy Rule on the line, moved to the top, apply, but the same problems persist, and the logs still show up.

Trying traceroute from pfSense does not appear to route trafic to the .253 device, but clearly traffic is making it to the .253 somehow since the RDP session does come up.

traceroute
[2.0-RC1][admin@pfsense.domain.com]/var/log(28): traceroute 10.174.98.15
traceroute to 10.174.98.15 (10.174.98.15), 64 hops max, 40 byte packets
1  * * *
2  * * *
3  * * *
(etc)
–-
tracert
tracert 10.174.98.15

Tracing route to 10.174.98.15 over a maximum of 30 hops

1    2 ms    1 ms    2 ms  10.0.0.254
  2    *        *        *    Request timed out.
  3    *        *        *    Request timed out.
  4    *        *        *    Request timed out.
  5    *        *        *    Request timed out.
  6    *        *        *    Request timed out.
  7    *        *    ^C
–-

netstat -r
[2.0-RC1][admin@pfsense.domain.com]/var/log(29): netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            c.hsd.isp.blah UGS        0  146563    dc1
10.0.0.0          link#3            U          0  239462  fxp0
pfsense            link#3            UHS        0        0    lo0
10.14.82.11/32    10.0.0.253        UGS        0        0  fxp0
10.78.0.0          10.0.0.253        UGS        0        0  fxp0
10.110.54.0        10.0.0.253        UGS        0        0  fxp0
10.174.98.15/32    10.0.0.253        UGS        0    11361  fxp0
(etc)
–-

Not sure where to go from here, and could use some assistance.

Thanks all
-Paul

Mnemic

After digging around in the options I found the fix for me.

In
System: Advanced: Firewall and NAT
Check mark: Bypass firewall rules for traffic on the same interface

And the problem was resolved.

gollo

I love the internet.

We had almost the EXACT same setup (firebox for default gw and an ASA for vpn termination).

This saved me many, many hours of headaches.

This option is the same in 1.2.3 as well BTW.