How to let PFsense IPsec "Route Vti" interface response to PING?



  • Hi all,

    I just have a Fortigate and building VPN between it.

    The VPN is already up and operating well between two sites Lan subnets.

    And I have a tunnel interface ip address on Fortigate as 169.254.0.1/32 while the remote tunnel interface is configured as 169.254.0.2/32 with static route also.

    In the Pfsense side, I do the same reversed and confirm I am using 169.254.0.2 as source ip and able to ping the Fortigate side 169.254.0.1.

    However, I can ping the 169.254.0.2 from Fortigate side.

    I do confirm Fortigate is using 169.254.0.1 as src ip already from Debug level logging.

    Please, someone advises how can I allow ping to the PFsense Vti interface.


  • Rebel Alliance Developer Netgate

    You are using link-local APIPA addresses on that interface which are blocked by default. There is an option to allow the traffic, but it is hidden on current releases. We have added a GUI option on 2.5.0 and 2.4.5 to control it.

    You can set it in the config using Diag > Command, in the PHP Execute box:

    $config['system']['no_apipa_block'] = true;
    write_config("Do not block APIPA");
    send_event("filter reload");
    


  • @jimp

    This works, thanks!

    alt text


Log in to reply