IPSEC DNS Traffic issue
-
@Derelict Will do and will let you know what I find.
-
@Derelict It's not just DNS that's an issue it's also printing. We can send a request to the server at the main office to print to the remote printer at the remote location but the main server cannot communicate with the remote printer. I put the old firewalls back in place and the print job commences. Here are screenshots from both firewalls. PDF's labeled 101 are the main office and 102 is the remote location.
-
No idea what's in that zip file. Doesn't look like pdfs to me.
I suggest attaching images to posts like everyone else does.
-
@Derelict I sent the wrong zip file, I just reattached an external link to Droplr as it would not let me attach the zip file created by my Mac.
-
None of that is really any help.
Routes mean nothing to policy-based IPsec. The traffic selectors control what goes where, not the routing table.
-
@Derelict What do you want me to acquire from the firewalls. This is a plain Jane install. Only thing configured was Dynamic DNS, IPSEC VPN and the firewall rules to allow everything. Nothing else was touched. Do I just restore the firewalls and start from scratch? This just does not make sense.
-
Draw a network diagram specifically containing the pieces that are not working.
Problems like this are almost always caused by firewalls on the target servers themselves. As in the target DNS server is not allowing DNS queries sourced from the remote network.
Hence my original request that you troubleshoot this using DNS resolution tools, not RDP, web, etc.
-
@Derelict There is nothing special going on here whatsoever. They are using the same network addresses as old the firewalls. It has nothing to do with the servers. The only thing changing is the firewalls both of which are configured identically. The old Netgate firewalls are running MonoWall. The new firewalls are preconfigured with pfSense. They have identical rules, IPSEC configuration and using the same dynamic DNS. There is nothing on the servers that would limit anything. When the old firewalls are connected everything operates properly. It's not until I bring up the new firewalls do these issues present themselves. Nothing is being touched on the servers. I can Remote Desktop into both servers from the remote site with no issues. However I cannot connect to the DNS service at the main office from the remote site. Also the main site server cannot connect to the remote printer. The minute the old firewalls are reattached everything works flawlessly. There is something going on in the new firewalls but all of the settings are identical to the old firewalls. IPSEC is fine, the tunnels come up with no issue. The firewall rules are identical to the old firewalls, all traffic is allowed through. There is nothing being blocked. However DNS packets are not going across nor printing services. I could understand if I had rules set for specific services and something wasn't entered right but when the only rule is to allow all traffic there is nothing to screw up there.
-
None of that gives us anything to go on either.
Please understand that if everything was configured correctly, it would be working.
What is not configured correctly cannot be gleaned from you saying everything is configured correctly but not showing your work.
You have not shown us anything since you opened this thread over three weeks ago.
-
I asked what you wanted a couple of posts ago. Rather than telling me exactly what you need to see, you'd rather blame the server configuration. What network or firewall setting is going to change on its own dependent of which firewall is running? There is something off with the configuration of the firewall whether it be a configuration issue or corruption in the firewall itself. I'm just looking into guidance on where the problem could lie in the firewall and that's it.
-
This is simple network troubleshooting. You check DNS. Does it work? No? fix it. Then go hop-by-hop until you find the problem.
https://docs.netgate.com/pfsense/en/latest/routing/connectivity-troubleshooting.html?highlight=connectivity
All you have said is "There is nothing wrong with my network. Tell me what's wrong with my network."
-
@Derelict Why do you keep harping on the network? Why can't you wrap your head around the fact that the only thing changing is the firewall. When the old firewall is in place everything functions properly. It's not until the new firewall is in place does this issue come up. So it's either a configuration issue on the new firewall or some sort of corruption. I'm trying to get help trying to track down where the issue lies inside the firewall. I have asked what you need to see from the firewall to try to figure out what's going on, but you continue to go after a working network that has had 0 issues until the new firewalls where introduced. As soon as the old firewalls are brought back up everything works fine again. As far as the link you sent:
WAN:
If the WAN settings were off the tunnel would never be established and it is.
LAN:
Is set properly as I can Remote Desktop to both remote servers.
Firewall/Rules:
Only one rule is set for LAN and also for IPSEC - Allow All
Client Tests:
I can ping everything on both sides of the network. Remote -> Main & Main -> Remote
The main fact that I have allow all rule and Remote Desktop works and DNS and printing does not with the new firewalls, shows that it's something within the firewall not the network. I can state this with 100% confidence as ONCE AGAIN, the old firewalls which were purchased from Netgate work perfectly. It's not until I put the new firewalls up that these issues come up.
So please for the love of God ask me for some diagnostic data from the firewalls themselves to try to track this down this issue rather than continuing the harp about the existing and 100% functioning network.
-
@TechUnplugged Also there are no hops other than the tunnel.
Main Office (Servers) -> Switch -> Netgate Firewall -> Internet <- Netgate Firewall <- Switch <-Workstations
-
Great Apply IP addresses and networks to all of that and show your configuration. Need to see all of the interfaces, all of the interface rules including IPsec tabs, all of the IPsec configuration, etc. Then explain exactly what is NOT working in a manner such that there is no guessing involved.