2 pfSense with gateway on the second
I have the following settings:
2 pfSense, connected via a routed IPsec tunnel (VTI)
Configuration of the pfSense 1:
one Interface LAN1 with subnet 192.168.2.0/24
Gateway at pfSense 2
I now want to tunnel the whole traffic to the second one through the IPsec tunnel.
Whichs works, when i define one rule at the pfSense 1 to use the IPsec tunnel (pfSense 2) as a gateway.
Because of the static route on pfSense 2 a NAT rule is created automatically, which works fine.
Clients in the LAN1 net can ping things at the internet and browse some sites.
Somehow it is not very stable and some ACK packets are rejected
Why are those rejected? Also creating a rule does not work.
Here is a log entry on the second pfSense (the Gateway):
Why are those packets blocked? Is there something wrone with my routing and the pfsense is dropping packets?
Does somebody other know a better solution or an answer to solve my problem?
You have asymmetric routing going on. Read through this: https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html
I do not know, where an asymectric route shoud happen.
"Bypass firewall rules for traffic on the same interface" doesn't fix my problem, also the outgoing floating rule with the "sloppy state" does not work.
Do i understand something wrong?
I only have two rules, on the pfSense 1 at interface LAN1 to use the ipsec tunnel as a gateway, and on pfSense 2 one rule to allow traffic fron 192.168.2.0/24 to any at the ipsec interface.
Ah, I misread what you had. I thought you had two pfSense routers at the same location doing a tunnel to a remote site.
In your case, the log you see is probably not a problem. It's most likely an out-of-state/OOW response from a web server being blocked from going back across the tunnel. (Server sent another packet after pfSense removed the state, more or less). That is common with web server traffic.
Am i missing something? When i test it with speedtest.net it shows the ip address of the second pfSense, which is the gateway. Sometimes connection times out.
What else could be wrong in my configuration? Those blocked packeges at the firewall are too much. I only have one client using one webpage.
Could be that you need to setup MSS clamping for the VPNs (IPsec advanced tab), or set the MTU lower on the IPsec VTI interfaces
the tunnel works fine for other purposes, but i will try to change the mtu.
if there is a problem with the mtu, shoundn't wireshark get icmp messages?
I only get many, many TCP Keep-Alive messages.
This post is deleted!