Traffic originated by Firewall itself cannot enter IPSEC tunnel
-
I have an IPSEC tunnel between my site and vendor site. Vendor side is Cisco ASA.
Normal traffic flows correctly between encryption domains. It is worth noting that I am using PAT on my side of tunnel to hide all source IPs behind one address.
I now need to setup my pfSense DNS Resolver to query Vendor side internal DNS server. I have configured this but in debugging I discovered that the Firewall itself cannot reach systems inside remote encryption domain. Using nslookup I can query the server from my laptop which resides in my encryption domain:
omber@OMBER-LAPTOP:~$ nslookup pve1.vendordomain.lan 172.17.12.18 Server: 172.17.12.18 Address: 172.17.12.18#53 Name: pve1.vendordomain.lan Address: 172.17.12.6However I cannot complete the same query directly from the pfSense firewall:
[2.4.4-RELEASE][lukasz@gw.mydomain.local]/home/lukasz: nslookup pve1.vendordomain.lan 172.17.12.18 ;; connection timed out; no servers could be reachedHere mydomain and vendordomain are replacements for real values to keep anonymity.
I recall this being some issue with the kernel and that it doesn't understand how to origin requests like these. Is there a solution?
-
Here is the answer: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html