Default firewall policy blocking stuff



  • Hey guys I'm having an issue with PFSense blocking traffic on a site to site ipsec tunnel.

    There is a Cisco ASA 5512x (172.21.36.0/255.255.254.0) on one end and a PFSense box (192.168.25.1/255.255.255.192) at the remote site.

    I have AD domain controllers on both sides of the tunnel that are trying to replicate but are getting rpc errors.

    I can ping and dns is working perfectly from both sides however I can see in the firewall logs that pfsense is blocking the domain controller on the remote site (192.168.25.5) from contacting the domain controller at the main site (172.21.37.29).

    I setup a gateway, static route, and ipsec rule but I'm missing something.

    Help!
    ![firewall blocking.jpg](/public/imported_attachments/1/firewall blocking.jpg)
    ![firewall blocking.jpg_thumb](/public/imported_attachments/1/firewall blocking.jpg_thumb)








    ![static route.jpg](/public/imported_attachments/1/static route.jpg)
    ![static route.jpg_thumb](/public/imported_attachments/1/static route.jpg_thumb)



  • I'm guessing this should probably be moved to the firewalling section as its not an ipsec issue per say.

    ![firewall blocking.jpg](/public/imported_attachments/1/firewall blocking.jpg)
    ![firewall blocking.jpg_thumb](/public/imported_attachments/1/firewall blocking.jpg_thumb)



  • The blocks shown in the log are out of state and are blocked by the default deny rule.
    Maybe it's a kind of asymmetric routing. Here is some help for this: https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

    The static route and the gateway should not be needed in an IPSec setup. The routing options are set in the IPSec phase 2 settings.

    The IPSec gateway is a pure nonsense anyway. A gateway on LAN interface with the LAN address?  ::)


Log in to reply