PFSense unable to communicate with Salt Master
-
Hey Guys,
I've been trying this since more than week now but unable to make it work. I have PFSense on which I have installed the py37-salt package and configured the minion file to communicate with the Salt Master. The settings that I have changed are the #master: & #id:
My Salt Master is on a different network and there is an IPSec tunnel created from PFSense to Strongswan for the communication.
What I wanted to know, is it possible for the pfsense to communicate with the Salt master over VPN IPSec? Currently it doesn't seem to be communicating with the Salt Master even though the VPN IPSec tunnel is up. I am able to ping the Salt Master IP from the PFSense. Is there maybe some settings that I need to change to make this work. If any more information is required then please let me know.
Any advise or help on this would be greatly appreciated.
Thanks in advance.
-
The Salt master communicates with the minions using an AES-encrypted ZeroMQ connection. These communications are done over TCP ports 4505 and 4506, which need to be accessible on the master only.
So I suppose you also need to adjust access to these ports depending on your exact topology.
-
Hi netblues,
Thank you for replying. I have the ports 4505 and 4506 opened on the Salt Master. I am able to telnet from the PFSense to Salt Master IP on port 4505 and 4506 but still the minion doesn't communicate with the Salt Master. If I do a sudo salt-key -L it doesn't show the minion ID of the pfsense under Unaccepted Keys.
Is there any more settings that needs to be changed in the minion file on the PFSense?
-
My knowledge about salt master and minions begun about 20 minures ago, when I googled.
But since you can telnet and connect to these ports from pf-cli, it should be the same for any program that runs on the same box. At least as far as networking is concerned.Netstat should give you an idea about connection status too.
-
Hey netblues,
Thank you for replying. I tried the netstat command and it does show a syn request from the PFSense WAN IP to the Salt Master but still I am not getting the key for this minion (PFSense) on the salt master.
I am not sure if anyone has tried this before. I haven't really got much help searching on google.
-
@tlotr syn means the beginning of a tcp connection. So it doesn't get anything back.
Are you sure that you actually connect with telnet to the port?Verify you have necessary allow rule on firewall, ipsec too.
-
@netblues : Yep I am able to telnet using the following command telnet -s 192.168.2.1 10.207.1.151 4505
192.168.2.1 => PFSense LAN IP
10.207.1.151 => Salt MasterI have checked the firewall rule for the IPSec, LAN and WAN and the traffic is allowed.
If I connect a machine to the LAN port of PFSense (192.168.2.5) and install salt minion in it and configure it. This machine (192.168.2.5) is able to communicate with the Salt Master but not the actual PFSense itself.
-
@tlotr So this means tunnel is ok, fw rules are fine...
try adding a floating rule allowing all tcp traffic to host 10.207.1.151 (and check quick)
and retry -
@netblues : I tried the floating firewall but it didn't help.
I wanted to know if it all its possible to route traffice in PFSense from the WAN interface (any port) which is going to a specific IP (10.207.1.151) on port 4505 and 4506 to be routed to the LAN IP 192.168.2.1
-
@tlotr Lan ip? When something runs on pf, and makes a network connection to a remote host uses the local ip of the connected gateway to that host.
I believe you are not "protecting" the ip used by ipsec phase2
Can you post your ip sec settings, especially p2 and a network diagram to make it clear.?