Firewall blocks returning TCP traffic
-
I'm using IPsec tab.
The thing is when I'm trying to reach cisco net from lan2 its working fine.Initial TCP connection starts not on GRE interface and firewall have no intentions to block it beacause default deny rule handles "out" traffic.But if connection starts on cisco side-pfsense fw blocks returning TCP packets from lan2 to cisco net on pfsense GRE interface.Adding allow rules to GRE interface isn't helping at all. -
is there a route on the cisco to tell lan2 traffic go to pfsense2's main lan ipaddress? if not it will try to go out the internet. Which pfsense machine 1 or 2 is blocking? It should not have even made it from the cisco if there is not a route to push lan2 traffic through the vpn …
-
The only route set on cisco is:to lan2 via pfsense1 GRE(172.31.2.9).And next pfsense1 has static routing rule to forward traffic to lan2 via pfsense2 WAN ipaddress.Blocking happens on pfsense1 because IPsec and GRE tunnels ends on it.There's a smart network administrator on a cisco side.He is smart enough to make proper routing through VPN.The trouble appears on my pfsense side,becaus I'm not good in VPN building 8)
-
System>Advanced, Firewall/NAT, check " Bypass firewall rules for traffic on the same interface ". That'll work around it for the vast majority of cases, not enough of a diagram type picture of the network to tell 100% for sure if it will here but it probably will.
-
@cmb:
System>Advanced, Firewall/NAT, check " Bypass firewall rules for traffic on the same interface ". That'll work around it for the vast majority of cases, not enough of a diagram type picture of the network to tell 100% for sure if it will here but it probably will.
I'm not sure this will help.Log shows that traffic goes in through one interface and leaves through another.And the description of this option tells about traffic entering and leaving on the SAME interface.Anyway, thanks for advice.I will try it as soon as possible.
-
seeing the specific routes and such would be nice.
I used to use ipsec for a site to site VPN. I switched to openvpn mainly because the ipsec kept dropping and was a bit slower than openvpn. We have been using openvpn for about 1.5 years and have been really happy with it.I have a similar setup, but I don't use Cisco. It is 3 pfsense FWs. One at the DC, 2 at the office. 1 of those is protecting a lab (rather protecting us from the lab). routing to the lab didn't work until I added a static route on the DC FW to point to the WAN ip of LAB FW (basic firewall rules to allow LAN and DC subnets with no NAT to those from the LAN or DC subnets). I don't know why you would have any blocks going on at all. If you are getting blocks, then there might be something wrong with the rule in ipsec because this is the only place to block. If it gets there it should be past the WAN at that point. -
seeing the specific routes and such would be nice.
I used to use ipsec for a site to site VPN. I switched to openvpn mainly because the ipsec kept dropping and was a bit slower than openvpn. We have been using openvpn for about 1.5 years and have been really happy with it.I have a similar setup, but I don't use Cisco. It is 3 pfsense FWs. One at the DC, 2 at the office. 1 of those is protecting a lab (rather protecting us from the lab). routing to the lab didn't work until I added a static route on the DC FW to point to the WAN ip of LAB FW (basic firewall rules to allow LAN and DC subnets with no NAT to those from the LAN or DC subnets). I don't know why you would have any blocks going on at all. If you are getting blocks, then there might be something wrong with the rule in ipsec because this is the only place to block. If it gets there it should be past the WAN at that point.Are you sure that your traffic from DC to the lab is really encrypted?I think when you made a static route to the lab WAN ipaddress your DC pfsense use Internet connection instead of OpenVPN tunnel.To encapsulate traffic to the lab in OpenVPN tunnel you have to create gateway on DC pfsense with ipaddress of OpenVPN interface of lab pfsense. And then create a static route to lab subnet through this gateway.Am I wrong? I also using OpenVPN on pfsense2 with routing settings just like I wrote above.And its working quite fine.
In my case there was no other choice between OpenVPN or IPSec.The organization with cisco is a big GSM provider.It's network administrator didn't even try to discuss any other VPN techs but GRE-over-IPsec.I was building VPN with two large GSM providers and both were insisting on IPsec.
Back to the question of asymmetric routing.I really don't know how it happens.In firewall rules IPsec tab,Lan tab,GRE tab-on all neccessary interfaces I set rule "allow everything from everyone on every protocol" and traffic was blocked anyway.After a few hours of googling I found similar problem on one forum (don't remeber where exactly,maybe even here).At that topic the guy had the same GRE-over-IPsec and TCP blocking.This is when I started to dig about asymmetric routing.I'm glad it ends.I was fighting it since last october :)
-
I am very sure … I am using private IPs and is not internet routable. They have no choice but to go over the VPN.
So here is what I have and it works.DB NEtwork 10.a.b.0/24
DC route -> 10.b.c.0/24 GW 10.a.a.15 (for DC traffic)Office Net 10.a.a.0/24
Office Route -> 10.b.c.0/24 GW 10.a.a.15 (for LAN traffic)I can get all the way from either direction.
-
I am very sure … I am using private IPs and is not internet routable. They have no choice but to go over the VPN.
So here is what I have and it works.DB NEtwork 10.a.b.0/24
DC route -> 10.b.c.0/24 GW 10.a.a.15 (for DC traffic)Office Net 10.a.a.0/24
Office Route -> 10.b.c.0/24 GW 10.a.a.15 (for LAN traffic)I can get all the way from either direction.
Alright I understand. Thanks for your help!
-
Hi
I've been having this problem as well, the only solution I found was to create a floating firewall rule for the gre interface to pass out any traffic, make sure the quick option is ticked and also set keep-state to none on the advanced options. To be honest I don't know if this is the best solution or really why it works, but it has on my setup. I've downloaded some capture files on the interfaces to go through see if I better understand it. But hope this helps.
-
Hi
I've been having this problem as well, the only solution I found was to create a floating firewall rule for the gre interface to pass out any traffic, make sure the quick option is ticked and also set keep-state to none on the advanced options. To be honest I don't know if this is the best solution or really why it works, but it has on my setup. I've downloaded some capture files on the interfaces to go through see if I better understand it. But hope this helps.
I'm surprized you managed to solve this problem using pfsense GUI.I also tried floating rules,but it didn't help in my case.
-
Just an FYI. I just realized that the DC firewall is not 2.0.x. It is still 1.2.3 which allows you to put in a route through a gateway that is not on the interface.
This saddens me. It is a valid configuration, but, I am using OpenVPN, so I can just push the route through the client. :) -
So to summarize, is GRE-over-IPsec between Cisco and pfsense 2.0.1 configurable from webGUI ?
Configurations like
http://forum.ivorde.com/freebsd-to-freebsd-ospf-over-gre-over-ipsec-transport-mode-racoon-part-1-t860.html
http://www.packtpub.com/article/network-configuration-tunneling-with-free-bsd -
So to summarize, is GRE-over-IPsec between Cisco and pfsense 2.0.1 configurable from webGUI ?
Yes.