IPSec Traffic are still blocked even if allowed on rules



  • Hi everyone,

    We are having a DFS Replication problem on our VPN. Currently we have an Site to Site VPN connection and setted up an DFS file replication from a the other site to ours. But files and folders are not replicating from the DFS replication. Upon checking on the firewall logs, I have verified that the Local IP of the DFS Server & Domain Controller from the other site are being blocked on the IPSec interface. I have now attached the sample firewall log and the rules that I have applied on the IPSec interface.

    192.168.36.0 & 192.168.16.0 is our IP subnet
    192.168.13.0 is the other site IP subnet

    I have allowed these IP subnets on the IPSec interface but still I'm still getting this firewall logs and files and folders are still not replicating from or to the other Site.

    Thanks in advance for your advices  ;D ;D ;D



    ![Firewall Log1.PNG](/public/imported_attachments/1/Firewall Log1.PNG)
    ![Firewall Log1.PNG_thumb](/public/imported_attachments/1/Firewall Log1.PNG_thumb)
    ![Firewall Log2.PNG](/public/imported_attachments/1/Firewall Log2.PNG)
    ![Firewall Log2.PNG_thumb](/public/imported_attachments/1/Firewall Log2.PNG_thumb)


  • Banned

    Please post a human readable screenshot of firewall logs and rules. Not the raw mess.


  • Netgate

    Obviously, you have not passed the proper traffic on the IPsec tabs on both sides. Or at least the connection destination side.



  • Apologies. I have modified my post and uploaded the image firewall log and IPSec interface rule from our pfSense


  • Netgate

    I have no idea what you are doing with all that policy routing on the IPsec tab.

    All you need to accept all connections from the other side is the third rule there.

    The IPsec tab can be thought of as an interface (It is actually an interface group but that is jest semantics). It passes connections INTO the firewall from the other side of IPsec tunnels. So you will never see traffic sourced from local subnets on that interface.

    So the first rule passing traffic sourced from local 192.168.36 makes no sense.

    The second rule is going to take traffic from 192.168.13 to 192.168.16 and send it out the loadbalancing group which is probably not what you want.

    The third rule should catch everything from the remote site.

    Look out for policy routing on the 192.168.36 and 192.168.16 interfaces. If traffic matches a policy route it will be sent to that gateway, That means it will not be interesting to IPsec as it has already been routed.



  • What I really did is use the Easy rule to allow the traffic that is being block from the firewall logs  ;D. Im sorry with all the noob questions ;D ;D. But I think I need to read some more documentations on how the firewalling of pfSense works. Anyway thank you very much for your advice's this will point's me out to a direction that I need to look on my pfSense rules


  • Netgate

    Easy rules did not set the loadbalancing policy routing there.

    Policy routing is probably your enemy.

    https://doc.pfsense.org/index.php/Bypassing_Policy_Routing