Why can't I query SNMP, use syslog, NTP
-
Dear Forum,
We setup a successful tunnel between 2 pfsense boxes and their subnets.
We cannot ping to the subnet in the tunnel, and found this article:
http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F
Our local subnet is 10.18.1.0/24 with pfsense at .1
Our remote subnet is 10.5.1.0/24 with pfsense at .1Could not quite figure out the parameters to set from that article, but tried:
- added gateway in (System:Gateways): BackToLan - LAN - 10.18.1.1
- added route in (System:Static Routes): 10.5.1.0/24 - BackToLan - LAN
Now ping shows weird errors: e.g
gt3:~ dennis$ ping 10.5.1.201
PING 10.5.1.201 (10.5.1.201): 56 data bytes
36 bytes from fw-office.webappz.int (10.18.1.1): Redirect Host(New addr: 10.5.1.201)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 a2d8 0 0000 40 01 c029 10.18.1.200 10.5.1.201Request timeout for icmp_seq 0
36 bytes from fw-office.webappz.int (10.18.1.1): Redirect Host(New addr: 10.5.1.201)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 abb5 0 0000 40 01 b74c 10.18.1.200 10.5.1.201Please help. Thanks.
-
Your description of the route seems ok, but those redirects indicate it's not. You don't need a route at all for LAN to LAN traffic to function, only for traffic initiated by the firewall itself and only where you don't specify the source IP. Sounds like you have something else wrong there, maybe missing firewall rules on IPsec.
-
Hi Cmb,
Thanks for you response. So we don't need to do this gateway+route trick for inter-tunnel pings?
The ping was from a local machine to a remote machine. Before the trick, it would give 100% packet loss only.
Like mentioned before, the other tunnel traffic had works fine, even before we put this silly trick in.In Firewall: Rules: IPSec, we have
TCP - 10.5.1.0/24 - * - * - * - * - none - - TunnelPlease help in getting ping, snmp, etc. working through the tunnel. Thanks.
-
First get rid of the static route as that isn't needed to ping and if it's wrong as it looks to be it may be breaking things.
Check if the traffic is getting blocked in the firewall logs, if it is, your IPsec rules aren't permitting the traffic.
-
:)
Hi cmb,Yes; that was the problem.
I got rid of the silly route and gateway, and changed the IPSec rule for protocol any (*) instead of just TCP, and that solved it. Maybe, pfsense could recommend 'any' as a default protocol for IPSec firewall rules.
Thanks so much.
Alfredo