problem for routing specific traffic through gre ipsec tunnel
-
sorry, the local ip over tunnel is not 10.1.1.20, that's for another service (which we haven't purchased yet) the remote IP is 10.1.1.150. in this capture is when i capture GRE interface and when i try to ping 10.1.1.150 from my windows host.but i don't get any response.
-
- disable NAT outbound
- what does packet capture show on the lan interface ?
-
also, it seems like I can't ping 192.168.251.193 which is the ip of the remote end of the tunnel.
-
disabled out going NAT. seems like my tunnel isn't working like i expected it. i just can ping it from my own side of the tunnel, not anywhere else.
-
@vistatech
pfsense can ping 10.1.1.150 and 192.168.251.193 ? -
if source is gre interface YES. not localhost or wan or DMZ or LAN interfaces. is there a routing or firewall problem??
-
@vistatech
The second side of the tunnel knows about the network 192.168.10.0/24 ? -
No. they just accept request from 192.168.251.194. so we need NAT, right? is there a need for static routing?
sorry i'm a beginner. -
@vistatech
If you do not know and there is no way to configure a static route there , then return outbound NAT- 192.168.10.4 can ping 192.168.251.193 ?
Show NAT outbound settings
- 192.168.10.4 can ping 192.168.251.193 ?
-
1- no it can't ping x.x.x.193. should i route the requests for that??
-
@vistatech
Show packet capture on the lan interface -
it is similar to pinging 10.1.1.150 just request and no reply
-
@vistatech
here you can see that the answer comes to the gre interface
and on the lan interface the answer comes ? -
no. it does not come to lan interface. here is what i assumed:
that capture is when i ping 10.1.1.150 (remote GRE ip) from my windows box (192.168.10.4) packet capture on lan shows a bunch of request. but packet capture on gre shows that requests from 192.168.251.194 (my side of GRE) goes to 10.1.1.150 and reply comes from 10.1.1.150 to x.x.x.194 and from there it does not come to my windows box. -
@vistatech
Are there any Floating Rules ? -
yes there is one, for GRE interface, with source and destination set to any.
since the requests go through 192.168.251.194, it seems like routing is being done, but NAT is not. -
should i be able to ping my local windows host (192.168.10.4) from my GRE interface?? if yes i can't.
-
@vistatech
Show this rule -
which rule?
-
@vistatech said in problem for routing specific traffic through gre ipsec tunnel:
which rule
Floating rule for GRE interface
And still such question
GRE over ipsec
ipsec (phase 2) in transport mode ?
is this correct ?
It's just that Pfsense doesn't always work correctly with GRE over ipsec.