Able to create IPSEC VPN but cannot pass LAN traffic



  • Hi, I have a fairly complicated PFSense setup used for terminal server hosting. It has been working exactly as expected for about a year but now I'd like to provide the ability for IPSec VPN connections to these servers.

    I'm provided several WAN IPs over a single connection from the provider. These are bound to my WAN interface.

    In PFSense I have it configured as follows:
    1/ Create Virtual IP matching new WAN IP. We'll call this 1.1.1.1
    2/ Create VLAN on my LAN interface and configure it with a static IPv4 subnet. We'll call it 10.10.10.0/24
    3/ Spin up a host on this LAN, assign the NIC to the VLAN, and give it an IP of 10.10.10.2/24
    4/ Create a 1:1 NAT rule passing 1.1.1.1 to 10.10.10.2
    5/ Create WAN firewall rules allowing ingress traffic to this host

    This works exactly as expected.

    What is not working is IPSec. It's configured as follows:
    P1:
    1/ Interface 1.1.1.1 (Virtual IP)
    2/ Remote gateway is set to remote host. We'll call this 2.2.2.2
    P2:
    1/ Model: Tunnel IPv4
    2/ Local Network: VLAN subnet
    3/ Remote Network: LAN subnet on remote router. We'll call this 10.10.20.0/24
    Firewall:
    1/ Allow any to any on IPSEC
    2/ Allow 500, 4500, 51 on VLAN

    When the tunnel comes up, I can use PFSense's PING utility and, after choosing the virtual interface, can ping any host at the remote site (10.10.20.1 -> 10.10.20.254)
    From the remote site, I can ping PFSense's VLAN IP (10.10.10.1) but cannot ping the attached host (10.10.10.2).
    From the host, I cannot ping any remote host including the router (10.10.10.1)

    I suspect this is a routing issue but, no matter what I try, can not seem to get the LAN host to recognize the VPN nor get traffic flowing to and from it despite PFSense being able to using the ping utility.

    Any assistance or suggestions would be greatly appreciated!



  • @manxam:

    From the host, I cannot ping any remote host including the router (10.10.10.1)

    Can you please verify TCP/IP settings on that host. You should be able to ping devices in the same subnet (router) with correct settings…


Log in to reply