Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default firewall policy blocking stuff

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 888 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Honest Bob
      last edited by

      Hey guys I'm having an issue with PFSense blocking traffic on a site to site ipsec tunnel.

      There is a Cisco ASA 5512x (172.21.36.0/255.255.254.0) on one end and a PFSense box (192.168.25.1/255.255.255.192) at the remote site.

      I have AD domain controllers on both sides of the tunnel that are trying to replicate but are getting rpc errors.

      I can ping and dns is working perfectly from both sides however I can see in the firewall logs that pfsense is blocking the domain controller on the remote site (192.168.25.5) from contacting the domain controller at the main site (172.21.37.29).

      I setup a gateway, static route, and ipsec rule but I'm missing something.

      Help!
      ![firewall blocking.jpg](/public/imported_attachments/1/firewall blocking.jpg)
      ![firewall blocking.jpg_thumb](/public/imported_attachments/1/firewall blocking.jpg_thumb)
      gateway.jpg
      gateway.jpg_thumb
      nat.jpg
      nat.jpg_thumb
      nat2.jpg
      nat2.jpg_thumb
      rule.jpg
      rule.jpg_thumb
      ![static route.jpg](/public/imported_attachments/1/static route.jpg)
      ![static route.jpg_thumb](/public/imported_attachments/1/static route.jpg_thumb)

      1 Reply Last reply Reply Quote 0
      • H
        Honest Bob
        last edited by

        I'm guessing this should probably be moved to the firewalling section as its not an ipsec issue per say.

        ![firewall blocking.jpg](/public/imported_attachments/1/firewall blocking.jpg)
        ![firewall blocking.jpg_thumb](/public/imported_attachments/1/firewall blocking.jpg_thumb)

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          The blocks shown in the log are out of state and are blocked by the default deny rule.
          Maybe it's a kind of asymmetric routing. Here is some help for this: https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

          The static route and the gateway should not be needed in an IPSec setup. The routing options are set in the IPSec phase 2 settings.

          The IPSec gateway is a pure nonsense anyway. A gateway on LAN interface with the LAN address?  ::)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.