Default firewall policy blocking stuff
-
Hey guys I'm having an issue with PFSense blocking traffic on a site to site ipsec tunnel.
There is a Cisco ASA 5512x (172.21.36.0/255.255.254.0) on one end and a PFSense box (192.168.25.1/255.255.255.192) at the remote site.
I have AD domain controllers on both sides of the tunnel that are trying to replicate but are getting rpc errors.
I can ping and dns is working perfectly from both sides however I can see in the firewall logs that pfsense is blocking the domain controller on the remote site (192.168.25.5) from contacting the domain controller at the main site (172.21.37.29).
I setup a gateway, static route, and ipsec rule but I'm missing something.
Help!
![firewall blocking.jpg](/public/imported_attachments/1/firewall blocking.jpg)
![firewall blocking.jpg_thumb](/public/imported_attachments/1/firewall blocking.jpg_thumb)
![static route.jpg](/public/imported_attachments/1/static route.jpg)
![static route.jpg_thumb](/public/imported_attachments/1/static route.jpg_thumb) -
I'm guessing this should probably be moved to the firewalling section as its not an ipsec issue per say.
![firewall blocking.jpg](/public/imported_attachments/1/firewall blocking.jpg)
![firewall blocking.jpg_thumb](/public/imported_attachments/1/firewall blocking.jpg_thumb) -
The blocks shown in the log are out of state and are blocked by the default deny rule.
Maybe it's a kind of asymmetric routing. Here is some help for this: https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_RulesThe static route and the gateway should not be needed in an IPSec setup. The routing options are set in the IPSec phase 2 settings.
The IPSec gateway is a pure nonsense anyway. A gateway on LAN interface with the LAN address? ::)