Access printer from foreign network over IPSEC (multiple locations)



  • hi,

    I have the following situation:
    voorbeeld.jpg

    We need to access the printers on Location2 from the custommer network (LAN2) on Location1.

    I create an IPSEC Phase2 10.130.78.129/25 – 10.130.76.129/25 to access the 10.130.76.129/25 network from location2.
    I'm able to ping from LAN2 on location2 to 10.130.76.132 (LAN2 on location1) but i'm not able to reach the printers.

    to be able to access the printers I created an 1:1 NAT mapping on interface LAN2 from 10.130.78.137 to 192.168.41.15 but this is not working. in the traffic monitor i see the traffic leavinf LAN2 but not getting an reply (only outgoing traffic)

    I also tried this with portforwarding, same result.

    How could i solve this problem?



  • @bashuis
    Hey
    to access printers from a remote network (10.130.76.128/25)
    I would do so
    phase 2 pfsense02
    Mode Tunnel IPv4
    Local network Network 192.168.41.0/24 ( Lan1 net)
    Remote network Network 10.130.76.128/25

    phase 2 pfsense01

    Mode Tunnel IPv4
    Local network Network 10.130.76.128/25 (Lan2 net)
    Remote network Network 192.168.41.0/24

    In this case, all traffic from LAN2 pfsense01 to LAN1 pfsense02 will pass through the IPSEC tunnel

    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html

    or If you use Route-based IPsec (VTI)
    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html

    Youtube Video



  • @Konstanti said in Access printer from foreign network over IPSEC (multiple locations):

    om LAN2 pfsense01 to LAN1 pfsense02 will pass through the IPSEC tunnel

    Hi,

    thnx for the reply.

    I changed the P2 (and rebooted the firewall because the IPSEC becones instable before reboot) and it works. I can reach 192.168.41.15 from the subnet 10.130.76.132/25 (tested with an PC in the LAN2 subnet)

    I've set up portmapping (interface: LAN2)
    eaf63a5e-7ffc-439f-98e8-5b1cc740915b-image.png
    this is Working, i can now reach the printer (192.168.41.15) by the forwarded IP (10.130.76.136) (tested with an PC in LAN2 subnet)

    Now I have an new problem. The traffic from the custommer come from the subnet 172.16.0.0/24, see below:
    voorbeeld.jpg

    I see traffic arriving from eg. 172.16.0.25 with destination 10.130.76.136 but that is not working. The traffic arrives at pfsense01 (traffic capture on interface LAN2 from pfsense01):
    05b475a0-8ac0-458c-bfca-98ea8e10ab13-image.png

    I think the problem is that the P2 is not knowing subnet 172.16.0.0/24 so tha traffic is not comming back from location2.

    To solve this I created an outbound NAT rule to NAT all traffic from 172.16.0.0/24 to the interface address of LAN2:
    59ab3f12-9afb-452b-8371-d7d1203973c0-image.png
    (Interface: LAN2, NAT Address: LAN2 address)

    Is this the solution to do this? Am i Doing something wrong?



  • Anyone an iedea?

    When i do packet capturing on LAN2 on the pfsense01 i see the following:
    0bb2af83-441a-42fb-80ee-43e129db334a-image.png



  • @bashuis said in Access printer from foreign network over IPSEC (multiple locations):

    When i do packet capturing on LAN2 on the pfsense01 i see the following:

    Where did the 172.16.0.26 IP come from thats not in your network diagram?



  • @conor said in Access printer from foreign network over IPSEC (multiple locations):

    Where did the 172.16.0.26 IP come from thats not in your network diagram?

    Sorry I see it now its up in the top right.



  • @conor
    The pfSense01 route is only aware of its local subnets directly connected 172.16.0.0/24 isn't directly connected, so when it doesn't have a directly connected subnet it checks its routing table to see if there is a route for that subnet, if that is not there then it will send out via the default gateway aka WAN. Add a route for the 172.16.0.0/24 subnet out the Em2 interface with a next hop address of customer router LAN2.



  • @conor

    i did create an static route on pfsense01 (location1):
    (gateway: LAN2)
    cf595ee7-e4c0-4765-888e-f81e7f188fe0-image.png

    this wil route the traffic in location1 back to the costommer network. i think the problem is that Location2 is not knowing this interface.

    I cannot add the route to pfsense02 (location2) because i cannot create an gateway on the ipsec interface to route the traffic to 172.16.0.0/24 back to pfsense01.



  • @bashuis

    Your gateway is wrong though that should not be .129 but .132.



  • can you ping 10.130.76.129 from 172.16.0.0/24?



  • i run packet capturing on LAN2 (pfsense01) i see the following:

    10:57:45.117448 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 27238, length 36
    10:57:45.157610 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 27239, length 36
    10:57:45.197928 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 27240, length 36
    10:57:45.237965 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 27241, length 36
    10:57:45.277946 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 27242, length 36

    no reply is comming back



  • @bashuis said in Access printer from foreign network over IPSEC (multiple locations):

    I cannot add the route to pfsense02 (location2) because i cannot create an gateway on the ipsec interface to route the traffic to 172.16.0.0/24 back to pfsense01.

    Then you simply create a outbound NAT on pfsense01 for the 172 network, but before you do that make sure that the LAN2 interface on pfsense01 can communicate with the 172 network first.

    One problem at a time.



  • @bashuis
    Disable the port forward for the ICMP for .136 and try again and see if it replies.



  • @conor
    i already have the outbound rule on pfsense01:
    NAT address: 10.130.76.132/25
    1558511277126-59ab3f12-9afb-452b-8371-d7d1203973c0-image.png



  • @bashuis
    I have no idea if you have that set up right as you have covered up all the important bits.



  • @conor

    i disabled outgoing NAT + disabled icmp forwarding and still get no reply:

    11:07:09.031164 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 40292, length 36
    11:07:09.071096 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 40293, length 36
    11:07:09.111122 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 40294, length 36
    11:07:09.151517 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 40295, length 36
    11:07:09.192282 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 40296, length 36
    11:07:09.232982 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 40297, length 36
    11:07:09.273003 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 249, seq 40298, length 36



  • Ok then the first problem is that the .136 IP on pfsense01 can't reply to the 172 network.

    1. Make sure that the firewall rules permit traffic from the 172 network arriving on the LAN2 interface.
    2. The 172 network is being routed by the customer router what is the ip in the range 10.130.76.132 for that router. That IP will be your gateway for the 172 static route.


  • I'm able to ping from LAN2(location1) to the printer (10.130.76.136) if i use an source address in the range 10.130.76.129/25.

    i think the problem is that the traffic is comming from 172.16.0.0/24 and the site: location2(pfsense02) is not knowing this subnet to route it back to location1

    i added the following firewallrule on LAN2
    08c3a518-fc1b-49a8-8319-b6ed6d2a454f-image.png
    this should allow traffic from 172.16.0.0/24 to 10.130.76.136

    i disabled the ICMP portforwarding and disabled outgoing NAT

    the address 10.130.76.136/25 is added als virtual IP, is this needed?

    packet capturing on interface LAN2 (pfsense01) give no reply:
    11:25:30.561151 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 281, length 36
    11:25:30.601003 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 282, length 36
    11:25:30.640925 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 283, length 36
    11:25:30.680956 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 284, length 36
    11:25:30.720877 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 285, length 36
    11:25:30.760985 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 286, length 36
    11:25:30.801084 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 287, length 36
    11:25:30.841004 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 288, length 36



  • now i get een reply back:

    11:27:44.554463 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 3382, length 36
    11:27:44.554492 IP 10.130.76.136 > 172.16.0.26: ICMP echo reply, id 250, seq 3382, length 36

    so the connection from pfsense01(LAN2) to the custommer is ok.



  • You have a pile of things to fix, stop trying to guess it all in one go. First fix the fact that the pfsense01 can't communicate with the 172 network. You probably don't need the Virtual IP and could ping the LAN2 interface directly but eiteher way you first need to make sure the pfsense01 can talk with the 172, otherwise no matter what you do with the pfsense02 it won't work.



  • @bashuis said in Access printer from foreign network over IPSEC (multiple locations):

    now i get een reply back:
    11:27:44.554463 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 3382, length 36
    11:27:44.554492 IP 10.130.76.136 > 172.16.0.26: ICMP echo reply, id 250, seq 3382, length 36
    so the connection from pfsense01(LAN2) to the custommer is ok.

    Good now you need to add a P2 entry to your IPSEC on both sides for the 172 network so they know how to talk to each other good explaination here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-with-multiple-subnets.html



  • should that like this?

    pfsense01
    172.16.0.0/24(local) --> 192.168.41.0/24(remote)

    pfsense03
    192.168.41.0/24(local) --> 172.16.0.0/24(remote)



  • yes



  • @conor
    OK, i created the P2.
    it is not UP, but that could be because there is no traffic going over it..

    several other P2's over the samen P1 are online..

    location 1 (pfsense01):
    9cd3ddc1-5860-4644-bf3b-aaab6e7fb812-image.png

    location 2 (pfsense02):
    502d36c4-e9aa-4b60-966a-6509a2f1c8ed-image.png

    Should i disconnect and reconnect the whole IPSEC connection?



  • on pfsense 02 for the sake of testing goto Firewall > Rules > IPSEC
    add an allow all rule for this interface, you can fine tune it later this is just for testing



  • @bashuis said in Access printer from foreign network over IPSEC (multiple locations):

    Should i disconnect and reconnect the whole IPSEC connection?

    if the down time isn't going to bother you probably best.



  • @conor said in Access printer from foreign network over IPSEC (multiple locations):

    sake of testing goto Firewall > Rules > IPSEC
    add an allow all rule for this interface, you can fine tune it later this is just for testing

    this rule was already active (for testing) on the IPSEC interface
    fd807ff2-c41f-4782-8667-35d7543bad38-image.png



  • send a ping from the 172 network to the the printer ip in the 192 network, I'm half expecting this to fail, if it does check that you can still ping the 10.130.76.136 ip address.



  • @conor said in Access printer from foreign network over IPSEC (multiple locations):

    @bashuis said in Access printer from foreign network over IPSEC (multiple locations):

    Should i disconnect and reconnect the whole IPSEC connection?

    if the down time isn't going to bother you probably best.

    @conor
    that is not possible now, people are working over the other P2's

    if it is needed i can shedule this later today/tonight



  • @conor said in Access printer from foreign network over IPSEC (multiple locations):

    send a ping from the 172 network to the the printer ip in the 192 network, I'm half expecting this to fail, if it does check that you can still ping the 10.130.76.136 ip address.

    that is an problem, i have no access to the 172 network.

    they started an permanent ping to 10.130.76.136 that i can use to debug.

    i think we should NAT? 10.130.76.136 to 192.168.41.15

    packet capturing on LAN2 (pfsense01) give now:
    11:52:17.648234 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 37518, length 36
    11:52:17.648254 IP 10.130.76.132 > 172.16.0.26: ICMP time exceeded in-transit, length 36



  • @bashuis
    correct, the customer router doesn't understand where the 192 is located, so a NAT is now needed, just enable the ICMP NAT first for testing.



  • @bashuis said in Access printer from foreign network over IPSEC (multiple locations):

    packet capturing on LAN2 (pfsense01) give now:
    11:52:17.648234 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 37518, length 36
    11:52:17.648254 IP 10.130.76.132 > 172.16.0.26: ICMP time exceeded in-transit, length 36

    is that with the NAT?



  • @conor said in Access printer from foreign network over IPSEC (multiple locations):

    @bashuis said in Access printer from foreign network over IPSEC (multiple locations):

    packet capturing on LAN2 (pfsense01) give now:
    11:52:17.648234 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 37518, length 36
    11:52:17.648254 IP 10.130.76.132 > 172.16.0.26: ICMP time exceeded in-transit, length 36

    is that with the NAT?

    no before.

    i added this NAT rule on interface LAN2 on pfsense01
    e99adb90-ed5b-409f-8910-77ae24e04b24-image.png

    now i see the same:
    11:54:49.664412 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 41040, length 36
    11:54:49.664433 IP 10.130.76.132 > 172.16.0.26: ICMP time exceeded in-transit, length 36



  • @bashuis
    If the ping is failing before you add the NAT there still is the problem of pfsense01 to 172 to resolve, remove the NAT rule until that is resolved.



  • can you send me the Routes for the pfsense01 please, Diagnostics > Routes



  • @conor said in Access printer from foreign network over IPSEC (multiple locations):

    can you send me the Routes for the pfsense01 please, Diagnostics > Routes

    b625543a-6454-4299-91f5-2538addd662d-image.png

    i see i have made an mistake in the ip's from the custommerrouter and LAN2 (switched, same lan). this is correct:
    voorbeeld.jpg
    also added the new P2

    we could also have a look with teamviewer/telephone if you like?


Log in to reply