Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC VPN traffic to remote BINAT network only pings

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tadaog
      last edited by

      IPSEC VPN traffic to remote BINAT network succeeds to ping remote addresses BINAT'ed, but TCP traffic doesn't flow with pfSense 2.4 (the same configuration works flawlesly with 2.3.2 pfSense).

      This problem only occurs if there in a BINAT translation.

      For exemplo, if in remote site there is a 192.168.0.0/24 network BINAT'ed to 192.168.72.0/24 for our local side, and there is a 192.168.0.100 server there.

      Disparando 192.168.72.100 com 32 bytes de dados:
      Resposta de 192.168.72.100: bytes=32 tempo=10ms TTL=126
      Resposta de 192.168.72.100: bytes=32 tempo=9ms TTL=126
      Resposta de 192.168.72.100: bytes=32 tempo=10ms TTL=126
      Resposta de 192.168.72.100: bytes=32 tempo=12ms TTL=126

      Estatísticas do Ping para 192.168.72.100:
          Pacotes: Enviados = 4, Recebidos = 4, Perdidos = 0 (0% de
                  perda),
      Aproximar um número redondo de vezes em milissegundos:
          Mínimo = 9ms, Máximo = 12ms, Média = 10ms

      But any other TCP connection cannot be established, for example, if I test for RDP:

      [tadaog.XXX6] ➤ telnet 192.168.72.100 3389
      Trying 192.168.72.100…
      telnet: Unable to connect to remote host: Connection timed out

      To illustrate, with pfSense 2.3.2 Release P1 it connects:

      [2017-02-10 23:39.29]  ~
      [tadaog.XXX6] ➤ telnet 192.168.72.100 3389
      Trying 192.168.72.100…
      Connected to 192.168.72.100.
      Escape character is '^]'.

      ✘
      ──────────────────────────────────────────────────────────────

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        What do your entries in the states table look like for this traffic?

        There are a couple tickets about IPsec states not being handled properly on 2.4 that we're still investigating:

        https://redmine.pfsense.org/issues/6937
        https://redmine.pfsense.org/issues/7015

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          tadaog
          last edited by

          jimp:

          Your floating rule workaround gets the problem temporarily fixed and all requested traffic flows flawlessly!

          https://forum.pfsense.org/index.php?topic=117827

          It seems related!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.