Can I route internet traffic from site B through site A via Ipsec VTI?
-
Good afternoon. I've got an Ipsec VTI connection which has successfully allowed me to administer devices in site B and site A locations. What I'd like to do now is policy route internet traffic from site B through site A. Is this a feature supported by pfsense/VTI connections? If so, would someone be able to outli e what you'd do to implement? I've some ideas but wouldnt mind hearing from someone smarter than me.
Thanks!
-
I've made progress and have it working mostly. However the site A side has all sorts of firewall alerts indicating that it's blocking many outside ip address connections to the site B ip address of my device. This is resulting in images not loading and/or other issues. I have a permit any to any rule on the ipsec firewall tab so I'm confused why it's doing this. Has anyone else encountered this before?
-
Have you checked
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html
and
https://www.netgate.com/resources/videos/routed-ipsec-on-pfsense-244.html ?-Rico
-
Yes sir. I've looked at both and have a successful connection between site A and B. At site B I go to the Firewall -> rules -> LAN and set the gateway for my computer and my phone to the VTI gateway. I have the NAT at Site A to allow VTI and Site B subnet out through WAN. I am able to pass internet traffic but random sites such as fast.com won't work. Pics won't display in twitter. Ping times are a little high due to the distance 7000 mile distance between me and Site A, as well as the less than stellar internet service here sometimes. The firewall log for Site A show all sorts of rejections on the Ipsec interface, despite the fact that I have a allow all from any to any rule in place on the ipsec firewall rule tab. Even if I make an exception for the event (ip address, port) that is causing the issue and add it to the ipsec rule tab, it never seems to hit as the event will continue to be blocked by the firewall. I would instead expect to see evidence of state changes, as well as data passed. I just can't figure out why the firewall is stopping so many connection attempts and believe this is the source of the anomalies I am seeing. Thoughts?
Screenshot of NAT at Site A. 10.0.5.2 is the Site B VTI ip (10.0.5.1 is Site A), 192.168.2.0/24 is the Site B subnet on which my device resides. Don't worry about the 192.168.40.0/24
Screenshot of Ipsec firewall rule at Site A
Screenshot of firewall errors at Site A
-
@ngoehring123
Hey.
By default, all outgoing traffic is allowed.pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass in quick on enc0 inet all flags S/SA keep state label "USER_RULE"What I see means that the traffic is blocked at the output from the IPSEC interface. There may be a floating rule that blocks traffic. If you click on the red cross (FIREWALL LOG), what will PFSense show ?
-
Here's the rule it says is cashing the event. Default deny though I'm confused how that is if I set an any to any rule.
-
Noticed that the screenshot I took had a lot of private to private network events. Here's one more that shows internet to device events. Same rule.
-
@ngoehring123 said
Very strange.
104 the rule blocks all outgoing traffic, but it should not work
Try to do that is a floating rule for the IPSEC or VTI interface
-
Done. See the below screenshots just to make sure I didn't do something wrong. No advance setting changes were made.
-
Still seeing the same issue flagging on the same rule.
-
@ngoehring123 said in Can I route internet traffic from site B through site A via Ipsec VTI?:
Still seeing the same issue flagging on the same rule.
And if you check QUICK ?
-
Same deal - logs are on fire. I really wonder if I'm trying something that isn't fully implemented in pfsense/freebsd. I've done a ton of web searches and haven't been able to find anything that matches. Part of me wonders if site A forgets or cannot remember/track the connection and so when something comes back from the internet the router at site A it says "what's this request for 192.168.2.2?" and then blocks it or parts of it.
-
@ngoehring123
The first time such see
Show me what the command shows
pfctl -sr | grep enc0
(WebGUI /Diagnostics/Command Prompt/) -
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass quick on enc0 inet all flags S/SA keep state label "USER_RULE"
pass in quick on enc0 inet all flags S/SA keep state label "USER_RULE" -
@ngoehring123
And still try in floating rule put option TCP Flags - ANY Flags and State type None
-
So firewall is still having events however now the interface has changed from ipsec to IPSEC_VTI. ???
-
@ngoehring123 said in Can I route internet traffic from site B through site A via Ipsec VTI?:
IPSEC_VTI
That's the same floating rule , but for IPSEC_VTI ?
There will be two identical rules , one for IPSEC and the other for VTI -
I just have the one floating rule for ipsec. When I made those last changes you suggested the firewall errors started saying IPSEC_VTI instead of ipsec. I had to disable those last changes as they resulted in me losing access to the remote router. Thank goodness for openvpn.
-
@ngoehring123
Excuse. I didn't think there would be such a result. I have no more ideas )))
-
No worries my friend. Your time and effort is greatly appreciated. Here's to hoping this gets sorted out soon. I'll be sure to share the fix with you. Thanks again!
-
@ngoehring123
I would consider an option of the usual IPSEC tunnel, through it too it is possible to pass a traffic outside.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html
-
I had thought of doing that as well but really like the routed option more due to its flexibility and power. Perhaps @jimp has some tips for me.
-
The really weird thing now is that my phone says I have no internet connection yet here I am writing to you and browsing the internet. Something is ascew...
-
@ngoehring123
That's possible. I myself use the GRE over IPSEC option and do not want to switch to VTI yet.
Will wait to hear other forum members -
@ngoehring123
In this forum, I read that some remove the VTI interface, re-create the tunnel , and the problems are solved -
I'll give that a go. After everything else, it won't hurt!
-
Hi,
I have the exactly same problem, did you get find any solution? -
I did not. Last thing I tried was to remove the interface, delete the static routes, and the remove the p1 and p2 and do it all over again. No luck. So I went back to openvpn. I was super excited to use the ipsec route instead due to the better throughput and all.
-
Openvpn is cool , but unfortunately Iran's government filter it here, so we must find another solution.
-
Yeah I'm in a part of the world where I want the anonymity as well. Have you tried openvpn on port 443? Or does Iran filter on something more specific?
-
@ngoehring123 Tried that either
-
Trying to get this working between China and USA.
I've got a stable VTI network, and traffic passes successfully between the machines on both LAN ends.I create a LAN rule on the China router to use the gateway on the USA router, and it looks like some traffic is tunneled through, but not everything.
Webpages from a laptop can load some elements, but not all; and webpages from a phone don't work much at all.
I had this working on the old IPSEC with the 0.0.0.0/0 phase 2, but I really want to change over to routed IPSEC to address some other issues.
-
https://forum.netgate.com/post/862316
-
Ok, all that blocked traffic you're seeing is TCP flagged traffic that is out of state. It's either blocked because the states have already closed, probably the case on that :PA traffic, ot because the states were never opened, usually due to rouet asymmetry.
https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html
You should be trying to find out why that is happening not just trying to pass the traffic anyway. Remove any floating rules you added there. You should not be seeing asymmetric traffic if this is setup correctly.
I assume pings work fine from the policy routed clients?
If you run a packet capture do you see both requests and replies at all points in the path?
Steve
