Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Can I route internet traffic from site B through site A via Ipsec VTI?

    IPsec
    7
    34
    1457
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gabacho4 Rebel Alliance last edited by

      Good afternoon. I've got an Ipsec VTI connection which has successfully allowed me to administer devices in site B and site A locations. What I'd like to do now is policy route internet traffic from site B through site A. Is this a feature supported by pfsense/VTI connections? If so, would someone be able to outli e what you'd do to implement? I've some ideas but wouldnt mind hearing from someone smarter than me.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • G
        gabacho4 Rebel Alliance last edited by

        I've made progress and have it working mostly. However the site A side has all sorts of firewall alerts indicating that it's blocking many outside ip address connections to the site B ip address of my device. This is resulting in images not loading and/or other issues. I have a permit any to any rule on the ipsec firewall tab so I'm confused why it's doing this. Has anyone else encountered this before?

        1 Reply Last reply Reply Quote 0
        • Rico
          Rico LAYER 8 Rebel Alliance last edited by

          Have you checked
          https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html
          and
          https://www.netgate.com/resources/videos/routed-ipsec-on-pfsense-244.html ?

          -Rico

          2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

          1 Reply Last reply Reply Quote 0
          • G
            gabacho4 Rebel Alliance last edited by

            Yes sir. I've looked at both and have a successful connection between site A and B. At site B I go to the Firewall -> rules -> LAN and set the gateway for my computer and my phone to the VTI gateway. I have the NAT at Site A to allow VTI and Site B subnet out through WAN. I am able to pass internet traffic but random sites such as fast.com won't work. Pics won't display in twitter. Ping times are a little high due to the distance 7000 mile distance between me and Site A, as well as the less than stellar internet service here sometimes. The firewall log for Site A show all sorts of rejections on the Ipsec interface, despite the fact that I have a allow all from any to any rule in place on the ipsec firewall rule tab. Even if I make an exception for the event (ip address, port) that is causing the issue and add it to the ipsec rule tab, it never seems to hit as the event will continue to be blocked by the firewall. I would instead expect to see evidence of state changes, as well as data passed. I just can't figure out why the firewall is stopping so many connection attempts and believe this is the source of the anomalies I am seeing. Thoughts?

            Screenshot of NAT at Site A. 10.0.5.2 is the Site B VTI ip (10.0.5.1 is Site A), 192.168.2.0/24 is the Site B subnet on which my device resides. Don't worry about the 192.168.40.0/24 2_1552757277181_NAT.PNG

            Screenshot of Ipsec firewall rule at Site A 0_1552757277180_firewall rule.PNG

            Screenshot of firewall errors at Site A 0_1552757522886_firewall.PNG

            K 1 Reply Last reply Reply Quote 0
            • K
              Konstanti @gabacho4 last edited by Konstanti

              @ngoehring123
              Hey.
              By default, all outgoing traffic is allowed.

              pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
              pass in quick on enc0 inet all flags S/SA keep state label "USER_RULE"

              What I see means that the traffic is blocked at the output from the IPSEC interface. There may be a floating rule that blocks traffic. If you click on the red cross (FIREWALL LOG), what will PFSense show ?

              1 Reply Last reply Reply Quote 0
              • G
                gabacho4 Rebel Alliance last edited by

                Here's the rule it says is cashing the event. Default deny though I'm confused how that is if I set an any to any rule.

                0_1552805244707_Screenshot_20190317-094543.png

                1 Reply Last reply Reply Quote 0
                • G
                  gabacho4 Rebel Alliance last edited by

                  Noticed that the screenshot I took had a lot of private to private network events. Here's one more that shows internet to device events. Same rule.

                  0_1552805426962_Screenshot_20190317-094842.png

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    Konstanti @gabacho4 last edited by

                    @ngoehring123 said

                    Very strange.
                    104 the rule blocks all outgoing traffic, but it should not work
                    Try to do that is a floating rule for the IPSEC or VTI interface

                    0_1552806119569_d3b6c3c5-1632-4b9e-9a02-4b7f4614d0d2-image.png

                    1 Reply Last reply Reply Quote 0
                    • G
                      gabacho4 Rebel Alliance last edited by

                      Done. See the below screenshots just to make sure I didn't do something wrong. No advance setting changes were made.

                      0_1552807401617_Screenshot_20190317-102203.png

                      0_1552807415542_Screenshot_20190317-102211.png

                      1 Reply Last reply Reply Quote 0
                      • G
                        gabacho4 Rebel Alliance last edited by

                        Still seeing the same issue flagging on the same rule.

                        K 1 Reply Last reply Reply Quote 0
                        • K
                          Konstanti @gabacho4 last edited by Konstanti

                          @ngoehring123 said in Can I route internet traffic from site B through site A via Ipsec VTI?:

                          Still seeing the same issue flagging on the same rule.

                          And if you check QUICK ?

                          0_1552815954333_a998472a-acac-417f-9f6f-dd8880051798-image.png

                          1 Reply Last reply Reply Quote 0
                          • G
                            gabacho4 Rebel Alliance last edited by

                            Same deal - logs are on fire. I really wonder if I'm trying something that isn't fully implemented in pfsense/freebsd. I've done a ton of web searches and haven't been able to find anything that matches. Part of me wonders if site A forgets or cannot remember/track the connection and so when something comes back from the internet the router at site A it says "what's this request for 192.168.2.2?" and then blocks it or parts of it.

                            K 2 Replies Last reply Reply Quote 0
                            • K
                              Konstanti @gabacho4 last edited by Konstanti

                              @ngoehring123

                              The first time such see
                              Show me what the command shows
                              pfctl -sr | grep enc0
                              (WebGUI /Diagnostics/Command Prompt/)

                              1 Reply Last reply Reply Quote 0
                              • G
                                gabacho4 Rebel Alliance last edited by

                                pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
                                pass quick on enc0 inet all flags S/SA keep state label "USER_RULE"
                                pass in quick on enc0 inet all flags S/SA keep state label "USER_RULE"

                                1 Reply Last reply Reply Quote 0
                                • K
                                  Konstanti @gabacho4 last edited by

                                  @ngoehring123
                                  And still try in floating rule put option TCP Flags - ANY Flags and State type None

                                  0_1552822693658_51aa4678-b306-41e0-9c4a-dff2d33933ee-image.png

                                  1 Reply Last reply Reply Quote 0
                                  • G
                                    gabacho4 Rebel Alliance last edited by

                                    So firewall is still having events however now the interface has changed from ipsec to IPSEC_VTI. ???

                                    0_1552823544610_Screenshot_20190317-145104.png

                                    K 1 Reply Last reply Reply Quote 0
                                    • K
                                      Konstanti @gabacho4 last edited by Konstanti

                                      @ngoehring123 said in Can I route internet traffic from site B through site A via Ipsec VTI?:

                                      IPSEC_VTI

                                      That's the same floating rule , but for IPSEC_VTI ?
                                      There will be two identical rules , one for IPSEC and the other for VTI

                                      1 Reply Last reply Reply Quote 0
                                      • G
                                        gabacho4 Rebel Alliance last edited by

                                        I just have the one floating rule for ipsec. When I made those last changes you suggested the firewall errors started saying IPSEC_VTI instead of ipsec. I had to disable those last changes as they resulted in me losing access to the remote router. Thank goodness for openvpn. 😊

                                        K 1 Reply Last reply Reply Quote 0
                                        • K
                                          Konstanti @gabacho4 last edited by

                                          @ngoehring123

                                          Excuse. I didn't think there would be such a result. I have no more ideas )))

                                          1 Reply Last reply Reply Quote 0
                                          • G
                                            gabacho4 Rebel Alliance last edited by

                                            No worries my friend. Your time and effort is greatly appreciated. Here's to hoping this gets sorted out soon. I'll be sure to share the fix with you. Thanks again!

                                            K 1 Reply Last reply Reply Quote 0
                                            • K
                                              Konstanti @gabacho4 last edited by

                                              @ngoehring123

                                              I would consider an option of the usual IPSEC tunnel, through it too it is possible to pass a traffic outside.

                                              https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html

                                              1 Reply Last reply Reply Quote 0
                                              • G
                                                gabacho4 Rebel Alliance last edited by

                                                I had thought of doing that as well but really like the routed option more due to its flexibility and power. Perhaps @jimp has some tips for me.

                                                K 1 Reply Last reply Reply Quote 0
                                                • G
                                                  gabacho4 Rebel Alliance last edited by

                                                  The really weird thing now is that my phone says I have no internet connection yet here I am writing to you and browsing the internet. Something is ascew...

                                                  K 1 Reply Last reply Reply Quote 0
                                                  • K
                                                    Konstanti @gabacho4 last edited by Konstanti

                                                    @ngoehring123

                                                    That's possible. I myself use the GRE over IPSEC option and do not want to switch to VTI yet.
                                                    Will wait to hear other forum members

                                                    1 Reply Last reply Reply Quote 0
                                                    • K
                                                      Konstanti @gabacho4 last edited by

                                                      @ngoehring123
                                                      In this forum, I read that some remove the VTI interface, re-create the tunnel , and the problems are solved

                                                      1 Reply Last reply Reply Quote 0
                                                      • G
                                                        gabacho4 Rebel Alliance last edited by

                                                        I'll give that a go. After everything else, it won't hurt!

                                                        1 Reply Last reply Reply Quote 0
                                                        • S
                                                          saeed last edited by

                                                          Hi,
                                                          I have the exactly same problem, did you get find any solution?

                                                          1 Reply Last reply Reply Quote 0
                                                          • G
                                                            gabacho4 Rebel Alliance last edited by

                                                            I did not. Last thing I tried was to remove the interface, delete the static routes, and the remove the p1 and p2 and do it all over again. No luck. So I went back to openvpn. I was super excited to use the ipsec route instead due to the better throughput and all.

                                                            1 Reply Last reply Reply Quote 0
                                                            • S
                                                              saeed last edited by

                                                              Openvpn is cool , but unfortunately Iran's government filter it here, so we must find another solution.

                                                              1 Reply Last reply Reply Quote 0
                                                              • G
                                                                gabacho4 Rebel Alliance last edited by

                                                                Yeah I'm in a part of the world where I want the anonymity as well. Have you tried openvpn on port 443? Or does Iran filter on something more specific?

                                                                S 1 Reply Last reply Reply Quote 0
                                                                • S
                                                                  saeed @gabacho4 last edited by

                                                                  @ngoehring123 Tried that either

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • C
                                                                    ccb056 last edited by ccb056

                                                                    Trying to get this working between China and USA.
                                                                    I've got a stable VTI network, and traffic passes successfully between the machines on both LAN ends.

                                                                    I create a LAN rule on the China router to use the gateway on the USA router, and it looks like some traffic is tunneled through, but not everything.

                                                                    Webpages from a laptop can load some elements, but not all; and webpages from a phone don't work much at all.

                                                                    I had this working on the old IPSEC with the 0.0.0.0/0 phase 2, but I really want to change over to routed IPSEC to address some other issues.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • Derelict
                                                                      Derelict LAYER 8 Netgate last edited by

                                                                      https://forum.netgate.com/post/862316

                                                                      Chattanooga, Tennessee, USA
                                                                      The pfSense Book is free of charge!
                                                                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • stephenw10
                                                                        stephenw10 Netgate Administrator last edited by

                                                                        Ok, all that blocked traffic you're seeing is TCP flagged traffic that is out of state. It's either blocked because the states have already closed, probably the case on that :PA traffic, ot because the states were never opened, usually due to rouet asymmetry.

                                                                        https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html

                                                                        You should be trying to find out why that is happening not just trying to pass the traffic anyway. Remove any floating rules you added there. You should not be seeing asymmetric traffic if this is setup correctly.

                                                                        I assume pings work fine from the policy routed clients?

                                                                        If you run a packet capture do you see both requests and replies at all points in the path?

                                                                        Steve

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • First post
                                                                          Last post