Cant reach web GUIs
-
Thanks
At least I know the firewall rules etc are set up correctly.
The fault is consistent with accessing my NAS, my Voip Server and my Voip Phones, again all of them accessable from on site.
- Also I proved overnight that I can access my NAS with OpenVpn
Regards
Mark
-
I wonder if this is a pointer to the root cause.
I notice that I can both ping my router across the vpn and I can access its web gui across the vpn…I cant access a gui of anything else though
Any further help would be appreciated as this is frustrating me now.
Cheers
Mark,
-
Packet capture on your LAN interface while trying to reach one of them, see if the traffic is going out.
-
Did you get anywhere with this? I have exactly the same issue.
I've replace my router at site B with pfSense, added the IP Sec settings, and it connects to the site A router fine, and all traffic works (site A is an old IP Cop box). So pfSense - IP Cop over IP Sec, all fine, no issues, that's been stable for about a month.
Now I'm trying to replace the main office, site A, IP Cop box with pfSense. I've added the IP Sec configuration and the firewall rules. From site B I can access everything at site A - config pages, drive share all work. From site A I can ping any address at site B, I can telnet into the NAS at site B, I can connect to my Mac Mini web server on HTTP and HTTPS (and VNC into the system), but the web config pages for 2 NAS devices & a printer won't respond at all and I can't connect to any of the shared drives at site B.
As soon as I switch site A back to IP Cop it all works.
All firewall rules are logging on both pfSense boxes and I've monitored the firewalls at both ends, the only traffic being blocked now is on the WAN interface.
I have 2 other VPN connections to migrate connecting us to client networks for RDP access. When I tried those, again the basic connectivity seemed fine, RDP would connect and authenticate, but then the session would time out with a licensing error. Again, reconnect IP Cop and the connections work fine.
Any pointer on what to look at next would be appreciated.
-
Do you have the gateway option set on your LAN rules? If that is the case, you need some negate rules (matching rules with no gateway set) before that one so VPN internal traffic gets properly routed.
-
Each LAN end has the Anti-Lockout Rule and two LAN rules I've added, one for IP4 and one for IP6.
Currently on both sides I have:
IP4* * * * * * none
IP6* * * * * * none
(LAN interface any protocol, any source, any destination, Log packets)I've had variations on these, specifying the Source as LAN etc, but no change in the symptoms
I also tried the advanced option to allow packets with IP options to pass, no difference
And I've set " Bypass firewall rules for traffic on the same interface ",Right now if I initiate a connection to the NAS control page I get the following in the firewall log:
Site A: LAN 10.10.1.2:53801 10.10.123.5:5000 TCP:S
Site B: IPsec 10.10.1.2:53801 10.10.123.5:5000 TCP:SBut no return traffic at all
I do see return traffic from other web servers inside the site B LAN and I see regular exchanges on port 53 for DNS transfers. -
But no return traffic at all
That indeed sounds like the root problem, which if you've confirmed with packet capture the traffic leaves the destination LAN and gets nothing in reply, is an issue with the NAS.
-
I went through that thought process too.
But then why would the NAS function fine when the site A end of the VPN is the ipCop box?
I'm more inclined to think, if it's not the firewall blocking the traffic, there's something wrong in the routing tables. -
Hi Mark
Did you resolve this issue? I am seeing something which sounds the same or similar to what you were experiencing.
I have an IPSEC VPN between two pfSense firewalls, Site 1 is pfSense v2.2.0 and Site 2 is pfSense v2.2.4. I can't upgrade the firewall at Site 1 at the moment so I am stuck with v2.2.0 on this site.
I have a Windows Terminal Server on Site 1 from which I am trying to manage a number of webGUIs on Site 2 (e.g. ILOs, the web interface of the local managed switch, the pfSense GUI, etc.). I have configured the VPN between the sites which is working and I am able to ping IP addresses on the remote network from the terminal server and can also SSH to both the switch and the pfSense firewall on their Site 2 local subnet IPs. However, I am getting connection reset messages from all of them when I try to access their webGUIs using HTTPS on the same IPs despite ports 80 and 443 being allowed in the same rules on both firewalls that allow port 22.
The really odd thing is that for brief periods of time, no longer than 5 minutes, I am able to access the webGUIs but then I start getting connection resets again. These periods of connectivity are transient and happen without any configuration changes/reboots.
If you did resolve your issue, it would be great to hear back to see if what you found matches my symptoms.
Kind regards
Ryan -
I can recall not being able to access the webinterface of some TPLink (cheap) APs over an IPSec VPN once, the problem turned to be related to the MTU size. Had to play around with the MSS clamping value to get it to work.
If this is the case, Wireshark captures would help a lot your troubleshooting