problem for routing specific traffic through gre ipsec tunnel
-
Hi, I hope this is in the right section. we are in need of using a web service for one of our servers that just connects through GRE ipsec tunnel.
I have a DMZ net with 192.168.10.0/24 address.
i have a gre ipsec tunnel with 192.168.251.192/30 (basically: x.x.x.194 on our side and x.x.x.193 on their side.
the web service address is : 10.1.1.20
i've added a static route in : system=>routing=>static route. telling that for destination 10.1.1.0/24 network to use GRE gateway.
when i try to ping 10.1.1.20 from my 192.168.10.4 host, it does not go through. i've captured icmp packets with 10.1.1.20 destination of GRE interface. surprisingly it shows that 10.1.1.20 reply to my x.x.x.194 side of the tunnel, but i get nothing on the host, -
@vistatech
Hey
Can you show me this packet capture ?
And yet, you can do the same (packet capture) only on the lan interface. -
sorry, the local ip over tunnel is not 10.1.1.20, that's for another service (which we haven't purchased yet) the remote IP is 10.1.1.150. in this capture is when i capture GRE interface and when i try to ping 10.1.1.150 from my windows host.but i don't get any response.
-
- disable NAT outbound
- what does packet capture show on the lan interface ?
-
also, it seems like I can't ping 192.168.251.193 which is the ip of the remote end of the tunnel.
-
disabled out going NAT. seems like my tunnel isn't working like i expected it. i just can ping it from my own side of the tunnel, not anywhere else.
-
@vistatech
pfsense can ping 10.1.1.150 and 192.168.251.193 ? -
if source is gre interface YES. not localhost or wan or DMZ or LAN interfaces. is there a routing or firewall problem??
-
@vistatech
The second side of the tunnel knows about the network 192.168.10.0/24 ? -
No. they just accept request from 192.168.251.194. so we need NAT, right? is there a need for static routing?
sorry i'm a beginner. -
@vistatech
If you do not know and there is no way to configure a static route there , then return outbound NAT- 192.168.10.4 can ping 192.168.251.193 ?
Show NAT outbound settings
- 192.168.10.4 can ping 192.168.251.193 ?
-
1- no it can't ping x.x.x.193. should i route the requests for that??
-
@vistatech
Show packet capture on the lan interface -
it is similar to pinging 10.1.1.150 just request and no reply
-
@vistatech
here you can see that the answer comes to the gre interface
and on the lan interface the answer comes ?
-
no. it does not come to lan interface. here is what i assumed:
that capture is when i ping 10.1.1.150 (remote GRE ip) from my windows box (192.168.10.4) packet capture on lan shows a bunch of request. but packet capture on gre shows that requests from 192.168.251.194 (my side of GRE) goes to 10.1.1.150 and reply comes from 10.1.1.150 to x.x.x.194 and from there it does not come to my windows box. -
@vistatech
Are there any Floating Rules ? -
yes there is one, for GRE interface, with source and destination set to any.
since the requests go through 192.168.251.194, it seems like routing is being done, but NAT is not. -
should i be able to ping my local windows host (192.168.10.4) from my GRE interface?? if yes i can't.
-
@vistatech
Show this rule