Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Confused about traffic through tunnel

    Scheduled Pinned Locked Moved IPsec
    8 Posts 3 Posters 803 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      taustinoc
      last edited by

      I have two PFsense boxes set up, with an IPSEC tunnel between them. The status page says the tunnel is connected, and I can see the packet count go up when I try to ping through the tunnel. But the only thing I can actually ping is the LAN address of the other PFSense box. (I do have the IPSEC firewall rule set up, wide open at the moment.)

      Local firewall: 192.168.1.20
      Local desktop: 192.168.1.114

      Remote firewall: 192.168.50.2
      Remote desktop: 192.168.50.100

      192.168.1.114 can ping 192.168.1.20
      192.168.1.20 can ping 192.168.1.114
      (local network works normally)

      192.168.1.114 can ping 192.168.50.2
      (local desktop can ping remote firewall LAN address)

      192.168.1.114 cannot ping 192.168.50.100
      If I watch the IPSEC status page on both firewalls, packets out on 192.168.1.20 (local) goes up, packets in does not.
      Packets in on 192.168.50.2 (remote) goes up, but packets out does not.

      It works the same way in the other direction - remote desktop and remote firewall can ping each other, remote desktop can ping local firewall, but not local desktop. Same with packet count.

      I'd think the issue was with the desktop network settings, if they couldn't ping through the tunnel to the other firewall's LAN address. So I'm completely baffled.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Are pfSense boxes the default gateways in the local networks?

        Also consider that access from remote networks may be blocked by the destination device. So you may to configure its firewall to allow that access.

        1 Reply Last reply Reply Quote 0
        • T
          taustinoc
          last edited by

          The remote box is the only firewall there. The local one is not, but it is set as the default (and only) gateway on the desktop (with fixed IPs, no DHCP involved). I can isolate it into a separate physical network if need be.

          Both desktops respond to pings from the PFSense box local to them. (The Win7 box does by default, the Win10 box has the firewall setting to allow it.)

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @taustinoc
            last edited by

            @taustinoc said in Confused about traffic through tunnel:

            Both desktops respond to pings from the PFSense box local to them.

            The point is if they respond to ping from remote network.

            On the remote pfSense go to Diagnostics > Ping and ping the remote client with default settings. Guess that will work.
            Then select LAN at "Source address" and try again.
            ?

            1 Reply Last reply Reply Quote 0
            • T
              taustinoc
              last edited by

              Both desktops respond with both settings to the PFSense box local to them. Neither responds to the PFSense box remote them.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                So the ping will be blocked by the destination clients firewall.

                1 Reply Last reply Reply Quote 0
                • T
                  taustinoc
                  last edited by

                  That has never been the case before. (I have a number of VPN connected locations using other firewalls.) I've double checked the firewall rules on both desktops, and everything is set right.

                  (Also, it's not just pings. Nothing works through the tunnel, except pinging the LAN address of the firewall at the other end.)

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    I've double checked the firewall rules on both desktops, and everything is set right.

                    If you can ping the LAN address at the other end then the tunnel is up and working.

                    Use packet captures. Ping something on the LAN on the other side and pcap there. Do you see the traffic leaving that interface? Is there a reply? If not find out why not. Compare with a capture to the same host from the local pfSense's LAN interface.

                    This problem is almost always 1 of two things:

                    1. The default gateway on the target host is not the VPN firewall. It seems you have eliminated this since the host can ping the far side's LAN interface address so that leaves...
                    2. The software firewall (think windows firewall) on the target host is not allowing connections to the target host from the foreign subnet. It could be some other local security software on the host breaking things too.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.