Neighbouring network behind pfsense LAN
-
Hi All,
I have simple pfSense setup with 1 network card and site to site VPN. (It is running on AWS ec2 instance).
Client is connected to pfSense using public IP address over IP sec tunnel which is working fine.
Clients network 10.30.30.0/24
Internal Network connected to server directly is 10.10.10.0/24, there is another network on the same VPC 10.20.20.0/24.
Routing was set up on Amazon.
I can connect from server on 10.20.20.0/24 to a server on the network on the opposite side of VPN 10.30.30.0/24.
When I am trying to connect back from 10.30.30.0/24 to 10.20.20.0/24 connection does not work.
The connection from 10.30.30.0/24 to 10.10.10.0/24 does work fine.
I have added firewall rules to allow connections from both sides(it was initially blocked).
It sounds like there is something with routing on pfSense.
When I was using Wireshark from server on 10.30.30.0/24 network to 10.20.20.0/24 it gave me "no response" message on ping.
Any advice will be appreciated.
Kind regards,
Vasily. -
Bom dia, Vasily :-)
I think you might find this link helpful:
https://www.1strategy.com/blog/2017/08/29/tutorial-using-pfsense-as-a-vpn-to-your-vpc/
Also keep in mind that to my knowledge, aws ec2 gateways do not support pmtud because the default security policy does not allow the necessary icon through (I might be wrong). I would make sure that your MTU settings are correct on the aws side.
-
I have got slightly different setup pfSense is running as AWS EC2 instance due to some legacy firewall on a client-side.
Interestingly I can connect to some hosts on that network using port 445(file shares), but not to the server I want to connect.
When I am running traffic capture I do not see packets for those hosts on pfSense, from client boxes I am getting no response for ping and for other ports I can see message SACK_PERM=1.
-
Oh ok. In that case, how are your Security Group rules configured? TO my knowledge, by default, all outbound traffic is allowed, but rules for inbound traffic must be configured. I'm sure you already know this. Apologies if you do, just trying to get to the bottom of this.
I have only seen SACKs in high packet loss situations, but we already knew that :-P
-
Security groups are looking fine, I can connect in the opposite direction without any problems.
-
Is this a route based VPN or tunnel based VPN?
-
it is.
What I have noticed that for the server I have a problem it is adding records to the routing table
x.x.x.x and mac address of network interface.I can run a command route delete x.x.x.x, and the connection is working fine.
But it is refreshing itself every 30 minutes and records are showing up again.I am not sure from there these records are getting to the routing table.
-
after further digging, it was found out that it is adding records for ad domain servers listed in DHCP options of amazon aws.
currently, script was added to delete it every 30 minutes.(after lease renewal)I am not sure if it will be safe to change IP address to static? (It has multiple IPs on the same interface)
-
My problem was resolved once I have change IP from dynamic to static.
DHCP was adding some records to arp table which were confusing pfSense.