Traffic originated by Firewall itself cannot enter IPSEC tunnel

  • I have an IPSEC tunnel between my site and vendor site. Vendor side is Cisco ASA.

    Normal traffic flows correctly between encryption domains. It is worth noting that I am using PAT on my side of tunnel to hide all source IPs behind one address.

    I now need to setup my pfSense DNS Resolver to query Vendor side internal DNS server. I have configured this but in debugging I discovered that the Firewall itself cannot reach systems inside remote encryption domain. Using nslookup I can query the server from my laptop which resides in my encryption domain:

    omber@OMBER-LAPTOP:~$ nslookup pve1.vendordomain.lan
    Name:   pve1.vendordomain.lan

    However I cannot complete the same query directly from the pfSense firewall:

    [2.4.4-RELEASE][lukasz@gw.mydomain.local]/home/lukasz: nslookup pve1.vendordomain.lan
    ;; connection timed out; no servers could be reached

    Here mydomain and vendordomain are replacements for real values to keep anonymity.

    I recall this being some issue with the kernel and that it doesn't understand how to origin requests like these. Is there a solution?

Log in to reply