Traffic originated by Firewall itself cannot enter IPSEC tunnel



  • I have an IPSEC tunnel between my site and vendor site. Vendor side is Cisco ASA.

    Normal traffic flows correctly between encryption domains. It is worth noting that I am using PAT on my side of tunnel to hide all source IPs behind one address.

    I now need to setup my pfSense DNS Resolver to query Vendor side internal DNS server. I have configured this but in debugging I discovered that the Firewall itself cannot reach systems inside remote encryption domain. Using nslookup I can query the server from my laptop which resides in my encryption domain:

    omber@OMBER-LAPTOP:~$ nslookup pve1.vendordomain.lan 172.17.12.18
    Server:         172.17.12.18
    Address:        172.17.12.18#53
    
    Name:   pve1.vendordomain.lan
    Address: 172.17.12.6
    

    However I cannot complete the same query directly from the pfSense firewall:

    [2.4.4-RELEASE][lukasz@gw.mydomain.local]/home/lukasz: nslookup pve1.vendordomain.lan 172.17.12.18
    ;; connection timed out; no servers could be reached
    

    Here mydomain and vendordomain are replacements for real values to keep anonymity.

    I recall this being some issue with the kernel and that it doesn't understand how to origin requests like these. Is there a solution?




Log in to reply