Site2site all traffic is ok except for http/https
-
i have the same trouble.
PfSense(192.168.106) - ipsec - D-link DFL 860 E(192.168.100)trying to open http web page of printer (192.168.100.52) from PfSense Lan network(192.168.106.10).
web page is loading… and nothing happends.all other traffic is ok ( RDP , smb Share, SIP )
If disable Firewall (System: Advanced: Firewall and NAT) , the page will open...
Dropping rule: @5(1000000103) block drop in log inet all label "Default deny rule IPv4"
-
yes exaclty the same problem.
no one has some ideas?
-
nobody?
-
Try to lower the ipsec Advance Setting
"Enable MSS clamping on VPN traffic"
Maybe that help's
Do you have installed a add package ?
regards
max
-
It is so weird that you are having the same issue as me. Every other type of traffic is fine. I get an error page saying that it timed out after 60 seconds. I don't actually see anything in the firewall log. The IPSec log is saying that it is sending packets (no surprise there), but nothing too helpful.
Does anyone have an idea on this?
-
My guess would be default gateways on the devices you cannot manage not being pointed at pfSense.
Most dumb consumer routers don't support a default gateway when used as an AP connected to its LAN only, etc.
But if you can ping 192.168.100.52 from the other side just not open its web interface, it's not routing.
-
Try to lower the ipsec Advance Setting
"Enable MSS clamping on VPN traffic"
Yes! It's work!
Enabling this option without any parametr solved my problem
Thanks! -
So what does that do? Anyone? And what was the issue?
-
"Enable MSS clamping on VPN traffic" is for lowering the maximum payload in a tcp segment.
In Ipsec a fragmented packet makes problems so you have to be shure that the MTU size fits you internet connection.
(Especial with pppoe MTU size is lower there )MSS -> Maximum Segment Size
-
Try to lower the ipsec Advance Setting
"Enable MSS clamping on VPN traffic"
Yes! It's work!
Enabling this option without any parametr solved my problem
Thanks!I tried leaving it by the default settings and it did not solve my problem. Here's another weird thing, I have a synology NAS which I manage through its web interface at https://ipaddress:35909. I can access that from across the IPsec tunnel, but not plain Jane https. My remote site is using pfsense and on the LAN interface (where I am doing all the testing from). My rules allow the LAN to access anything and everything.
Anybody know what might be my problem?
Thanks!
-
Hi teladero
Why not lowering the MSS ? what is your problem with the webgui ? Maybe the NAS Gui allow only acces from LAN
If you want access the NAS over internet behind a pfsense you have to add a Firewall: NAT: Port Forward for the
NasPlease be more clear with your request.
regard max
-
fantastic, i also solved this by enabling the MSS clamping :)
THX
-
Hi teladero
Why not lowering the MSS ? what is your problem with the webgui ? Maybe the NAS Gui allow only acces from LAN
If you want access the NAS over internet behind a pfsense you have to add a Firewall: NAT: Port Forward for the
NasPlease be more clear with your request.
regard max
What should I lower it to?
I have had a site to site VPN up before with two Meraki security appliance. It worked beautifully.
I do not want my NAS to be accessible through port forwarding. Sorry I wasn't more clear.
-
Hi teladero
Why not lowering the MSS ? what is your problem with the webgui ? Maybe the NAS Gui allow only acces from LAN
If you want access the NAS over internet behind a pfsense you have to add a Firewall: NAT: Port Forward for the
NasPlease be more clear with your request.
regard max
I noticed that the default size was 1400, so I tried 1300 and that did not work. Should I just go smaller? If so, am I slowing my connection to the remote network?
Thanks for all your help.
-
No connection is not faster ;D
(I think the nas is blocking the ip…hard to guess)
regards
max -
No connection is not faster ;D
(I think the nas is blocking the ip…hard to guess)
regards
maxThe NAS (or any other device on my remote network) is not blocking http or https traffic. It used to work fine when I was on a meraki site-to-site vpn. Nothing has changed here except going to pfsense at one location. I can ping, do samba shares, remote desktop, etc across the vpn, so I know it is established. I can try and add some rules on the pfsense box to allow http traffic explicitly over the vpn. I will post the results.
-
No connection is not faster ;D
(I think the nas is blocking the ip…hard to guess)
regards
maxI can't believe it…I added a rule to allow any traffic to the remote network, and it worked! The most bizarre thing is that you can clearly see the two rules below it, allowing IPv4 and IPv6 traffic sourced from the LAN to anywhere. No clue why this was necessary, but hopefully it will help someone else in my position.
Thanks again MaxHeadroom!
-
That makes zero sense. What are the advanced characteristics on that second rule?
-
That makes zero sense. What are the advanced characteristics on that second rule?
Makes zero sense to me as well. Here's what I have for advanced settings.
-
OK just limiters.
I would disable the rule you added, turn logging on on the main pass rule, try to open connections across the VPN, and see what they logs say.
Hmm. Limiters. I don't see anything that should do it but you might be hitting the 2.2.X limiter bug. Also disable the rule you added and try it without the limiters set.
