Confused about traffic through tunnel
I have two PFsense boxes set up, with an IPSEC tunnel between them. The status page says the tunnel is connected, and I can see the packet count go up when I try to ping through the tunnel. But the only thing I can actually ping is the LAN address of the other PFSense box. (I do have the IPSEC firewall rule set up, wide open at the moment.)
Local firewall: 192.168.1.20
Local desktop: 192.168.1.114
Remote firewall: 192.168.50.2
Remote desktop: 192.168.50.100
192.168.1.114 can ping 192.168.1.20
192.168.1.20 can ping 192.168.1.114
(local network works normally)
192.168.1.114 can ping 192.168.50.2
(local desktop can ping remote firewall LAN address)
192.168.1.114 cannot ping 192.168.50.100
If I watch the IPSEC status page on both firewalls, packets out on 192.168.1.20 (local) goes up, packets in does not.
Packets in on 192.168.50.2 (remote) goes up, but packets out does not.
It works the same way in the other direction - remote desktop and remote firewall can ping each other, remote desktop can ping local firewall, but not local desktop. Same with packet count.
I'd think the issue was with the desktop network settings, if they couldn't ping through the tunnel to the other firewall's LAN address. So I'm completely baffled.
Are pfSense boxes the default gateways in the local networks?
Also consider that access from remote networks may be blocked by the destination device. So you may to configure its firewall to allow that access.
The remote box is the only firewall there. The local one is not, but it is set as the default (and only) gateway on the desktop (with fixed IPs, no DHCP involved). I can isolate it into a separate physical network if need be.
Both desktops respond to pings from the PFSense box local to them. (The Win7 box does by default, the Win10 box has the firewall setting to allow it.)
Both desktops respond to pings from the PFSense box local to them.
The point is if they respond to ping from remote network.
On the remote pfSense go to Diagnostics > Ping and ping the remote client with default settings. Guess that will work.
Then select LAN at "Source address" and try again.
Both desktops respond with both settings to the PFSense box local to them. Neither responds to the PFSense box remote them.
So the ping will be blocked by the destination clients firewall.
That has never been the case before. (I have a number of VPN connected locations using other firewalls.) I've double checked the firewall rules on both desktops, and everything is set right.
(Also, it's not just pings. Nothing works through the tunnel, except pinging the LAN address of the firewall at the other end.)
I've double checked the firewall rules on both desktops, and everything is set right.
If you can ping the LAN address at the other end then the tunnel is up and working.
Use packet captures. Ping something on the LAN on the other side and pcap there. Do you see the traffic leaving that interface? Is there a reply? If not find out why not. Compare with a capture to the same host from the local pfSense's LAN interface.
This problem is almost always 1 of two things:
- The default gateway on the target host is not the VPN firewall. It seems you have eliminated this since the host can ping the far side's LAN interface address so that leaves...
- The software firewall (think windows firewall) on the target host is not allowing connections to the target host from the foreign subnet. It could be some other local security software on the host breaking things too.