@viragomann said in Outbound NAT over IPSEC tunnel not working:

@shaunmccloud said in Outbound NAT over IPSEC tunnel not working:

And the minute I add a P2 entry in my pfSense box for a remote network of 0.0.0.0/0, all network traffic but local dies.

So I'd assume, that the traffic is routed over the VPN, but not out on WAN.

But this is only the half of the battle. The traffic must be natted on the remote site

If the Meraki doesn't masquerade your subnets there is no way to go out to the internet through it.

I decided to cheat, and throw a virtual pfSense box in the data center to connect to. I'll see how that works tomorrow.

@asodipo
Console Menu Basics
Using the PHP Shell

@emc

This issue has been fixed. NAT is working. It was a firewall issue in the PBX. I've whitelisted the IPs on the PBX's firewall and it works. Thank you everyone for your help.

@viragomann @jimp

LANRuleFailure.JPG

I modified the LAN rule to use aliases that were not subject to any security settings but passed traffic to the correct gateway. Then I copied the LAN rule, made it a block rule and changed the gateway to the gateway we don't want that traffic to exit on.
RESULT: Traffic still passes to the wrong gateway.

Then I switched the order of the rules. Traffic was unchanged. The packet captures still show the traffic flowing from LAN to W-mpls instead of being blocked or flowing to C-ens.

Nothing is logged for these connections. I think I found a bug.

please see this post for way more information.

@johnpoz
Ok,
So after tons of testing I think I can say it's the GeoIP causing the issue,
Not sure why, and it's not consistent 100% of the time,
But when Floating rules are enabled (and the interfaces are selected in inbound and outbound) and GeoIP is enabled as Deny Inbound, the issue exist.
I wasn't able to reproduce the issue when Floating Rules was disabled.

Sometimes even if Floating Rules was enabled and GeoIp was enabled then it worked (for example when changing the Floating Rules from disable to enable while GeoIp was enabled, it worked sometimes and no issue existed.

Only if i disabled all GeoIp, forced PfBlocker to reload all rules (under Update), Enabled GeoIp, forced reload again then the issue happened I think every time.

It also seems like for me, while I live in Israel (which is part of Asia Alias), Europe GeoIp caused more for the issue to happen, even if only one country from that filter was selected.

I know it's not 100% step by step on how to re-produce the bug but that's what I managed to gather so far, hope it's enough.

3d34463f-dbd7-4149-a18d-fe9ffc806a63-image.png

@jasonharper Could you send me an example print please?