Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Traffic are still blocked even if allowed on rules

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      frostmir
      last edited by

      Hi everyone,

      We are having a DFS Replication problem on our VPN. Currently we have an Site to Site VPN connection and setted up an DFS file replication from a the other site to ours. But files and folders are not replicating from the DFS replication. Upon checking on the firewall logs, I have verified that the Local IP of the DFS Server & Domain Controller from the other site are being blocked on the IPSec interface. I have now attached the sample firewall log and the rules that I have applied on the IPSec interface.

      192.168.36.0 & 192.168.16.0 is our IP subnet
      192.168.13.0 is the other site IP subnet

      I have allowed these IP subnets on the IPSec interface but still I'm still getting this firewall logs and files and folders are still not replicating from or to the other Site.

      Thanks in advance for your advices  ;D ;D ;D

      IPSec.PNG
      IPSec.PNG_thumb
      ![Firewall Log1.PNG](/public/imported_attachments/1/Firewall Log1.PNG)
      ![Firewall Log1.PNG_thumb](/public/imported_attachments/1/Firewall Log1.PNG_thumb)
      ![Firewall Log2.PNG](/public/imported_attachments/1/Firewall Log2.PNG)
      ![Firewall Log2.PNG_thumb](/public/imported_attachments/1/Firewall Log2.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        Please post a human readable screenshot of firewall logs and rules. Not the raw mess.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          Obviously, you have not passed the proper traffic on the IPsec tabs on both sides. Or at least the connection destination side.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • F Offline
            frostmir
            last edited by

            Apologies. I have modified my post and uploaded the image firewall log and IPSec interface rule from our pfSense

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              I have no idea what you are doing with all that policy routing on the IPsec tab.

              All you need to accept all connections from the other side is the third rule there.

              The IPsec tab can be thought of as an interface (It is actually an interface group but that is jest semantics). It passes connections INTO the firewall from the other side of IPsec tunnels. So you will never see traffic sourced from local subnets on that interface.

              So the first rule passing traffic sourced from local 192.168.36 makes no sense.

              The second rule is going to take traffic from 192.168.13 to 192.168.16 and send it out the loadbalancing group which is probably not what you want.

              The third rule should catch everything from the remote site.

              Look out for policy routing on the 192.168.36 and 192.168.16 interfaces. If traffic matches a policy route it will be sent to that gateway, That means it will not be interesting to IPsec as it has already been routed.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • F Offline
                frostmir
                last edited by

                What I really did is use the Easy rule to allow the traffic that is being block from the firewall logs  ;D. Im sorry with all the noob questions ;D ;D. But I think I need to read some more documentations on how the firewalling of pfSense works. Anyway thank you very much for your advice's this will point's me out to a direction that I need to look on my pfSense rules

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Easy rules did not set the loadbalancing policy routing there.

                  Policy routing is probably your enemy.

                  https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.