Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't connect from site A to site C

    Scheduled Pinned Locked Moved General pfSense Questions
    20 Posts 4 Posters 1.7k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      ColinDexter
      last edited by

      In site B I replaced a draytek with a pfsense router. Almost everything works perfectly. The IPsec VPN tunnel between site A and B is working. Only I do not come from site A to site C. (I only need to go from A to C. Not from C to A).
      network.PNG
      On site A I indicated that site C can be found through the VPN tunnel.

      But somehow I don't get there. On the pfsense router I also created NAT rules for the network of site A (Not sure if this is needed). And add to test any to any rules so that everything is open. In site C I indicated that site A can be found at IP address 192.168.3.254. With the draytek, this al worked without any problems.

      But I probably forgot to configure something in the pfsense now. Only I don't see anything like that.

      So I hope one of you can help me further

      M JKnottJ 2 Replies Last reply Reply Quote 0
      • M Offline
        marvosa @ColinDexter
        last edited by

        Are both tunnels IPSEC?

        1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @ColinDexter
          last edited by

          @colindexter

          IPSec can have problems with NAT, if Authentication Headers are used.

          Are both tunnels IPSEC?

          Irrelevant. A VPN is just another IP path. You could mix VPN types without issue, as one VPN is completely independent of the other.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          C 1 Reply Last reply Reply Quote 0
          • C Offline
            ColinDexter @JKnott
            last edited by

            No, there is only 1 VPN (IPSEC) connection. It is located between site A and B. From site B it has to go to site C via NAT

            JKnottJ 1 Reply Last reply Reply Quote 0
            • JKnottJ Offline
              JKnott @ColinDexter
              last edited by

              @colindexter

              You will need to do port forwarding at both NATs. However, as I mentioned, IPSec doesn't like NAT.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              C 1 Reply Last reply Reply Quote 0
              • C Offline
                ColinDexter @JKnott
                last edited by

                Which two NATs should I do port forwarding with? Because I don't have a port forward anywhere now. (also never had with the draytek). Because in principle it only involves traffic from the inside to the outside

                JKnottJ 1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @ColinDexter
                  last edited by

                  @colindexter

                  If you're trying to reach C from A via B, then you need to port forward through both B & C, but it's hard to tell from your sketch which way NAT is going. For example, you say you can reach B, but it shows the path to B is through C.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  C 1 Reply Last reply Reply Quote 0
                  • C Offline
                    ColinDexter @JKnott
                    last edited by

                    Yes it might be a bit tricky indeed. On the drawing I signed the VPN between site A and B. But of course this runs via site C and the internet. In site A there is NAT from 192.168.1.x to the internet. In site B there is NAT from 192.168.2.x to 192.168.3.254. And in site C there is NAT from 192.168.3.x to internet.

                    Thanks to the VPN, all hosts in sites A and B can reach each other.

                    Hosts in site B can access a server in site C. And hosts in site A should be able to do this too. Hosts in site A should be given the gateway from site B as default gateway (192.168.3.254)

                    Hope it is like that a little more clear. Is a bit difficult to explain.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      You shouldn't need to port forward anything here if you only need to reach C from A.

                      You just need to make sure the IPSec tunnel has P2s for both A-B and A-C.

                      Steve

                      C 1 Reply Last reply Reply Quote 0
                      • C Offline
                        ColinDexter @stephenw10
                        last edited by

                        I don't know exactly how you want to do this. Because what do I enter at local subnet when I add a P2 to the IPSec tunnel. Should this be 192.168.3.0? And does pfsense understand that this must be routed to site C or do I have to do something for that as well?

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Unless you are using route based IPSec (VTI) then IPSec is policy based. You have to have P2 policies to match all the traffic you need to carry which here includes: 192.168.1.0/24 to 192.168.3.0/24.

                          pfSense will send that to the site at C as long as it has a route to it. I imagine it's the default route though it's not clear from the diagram.

                          Steve

                          C 1 Reply Last reply Reply Quote 0
                          • C Offline
                            ColinDexter @stephenw10
                            last edited by

                            I spent all day testing different things. But still don't have it working. I have now a P2 policies that match all the traffic (192.168.1.0/24 to 192.168.3.0/24) And the default gateway on site B (pfSense ) is to site C. But I still can’t reach it.

                            I think the outbound NAT on site B (pfsense) is incorrect. I have already added a extra rule for 192.168.1.0 but unfortunately also without result.

                            And the stupid thing is when I replace the pfsense with the old draytek it works in one go :-(

                            So it must be a settings in the pfsense router. Only I can't find it yet.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              Do you see the traffic blocked in the firewall logs anywhere?

                              Do you see the correct states open in pfSense in the state table?

                              Does the host at site C see the requests?

                              Steve

                              C 1 Reply Last reply Reply Quote 0
                              • C Offline
                                ColinDexter @stephenw10
                                last edited by

                                Sorry, yes on the firewall I have the following message:

                                Dec 29 08:55:57 	WAN 	Default deny rule IPv4 (1000000103) 	192.168.3.246:80		192.168.1.252:36028		TCP:SA 
                                

                                state table:

                                IPsec 	tcp 	192.168.1.252:36106 -> 192.168.3.246:80 	SYN_SENT:ESTABLISHED 	4 / 762 	240 B / 36 KiB 	
                                WAN 	tcp 	192.168.1.252:36106 -> 192.168.3.246:80 	ESTABLISHED:SYN_SENT 	4 / 762 	240 B / 36 KiB
                                
                                C 1 Reply Last reply Reply Quote 0
                                • C Offline
                                  ColinDexter @ColinDexter
                                  last edited by

                                  When I remove the NAT rules for 192.168.1.0 then the entry on the firewall log disappears.

                                  C 1 Reply Last reply Reply Quote 0
                                  • C Offline
                                    ColinDexter @ColinDexter
                                    last edited by

                                    Oh yes and I see the request coming from site A on the server in site C

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      The fact you are seeing SYN-ACK replies blocked on WAN usually means some sort of route asymmetry but it could also be the state timed out and that was a reply to the last SYN.

                                      The state there does not show the traffic being NAT'd as it leaves the WAN. I expect to see that source NAT's to 192.168.2.X, whatever the WAN IP is.

                                      It's possible that was an old state though.

                                      Without NAT there the host at 192.168.3.X will need a static route back.

                                      What are your outbound NAT rules there?

                                      Steve

                                      C 1 Reply Last reply Reply Quote 0
                                      • C Offline
                                        ColinDexter @stephenw10
                                        last edited by

                                        On site C is a static route for 192.168.1.0/24 to 192.168.3.254 (this is the WAN for site B). On site C is only NAT to the public IP.

                                        On Site B I use the following NAT at this moment.
                                        nat.PNG

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          If you have a static route at site C you should not need an outbound NAT rule at B but you will need firewall rules at C to pass it. The default LANnet pass rule will not.

                                          Steve

                                          C 1 Reply Last reply Reply Quote 0
                                          • C Offline
                                            ColinDexter @stephenw10
                                            last edited by

                                            Got it working finally. For this I reset everything to default and started again from scratch. And both options now works. If I do it via NAT it works. And if I change this to a static route in the destination network (so without NAT) it also works.

                                            I think I have the same configured as before. But apparently something was wrong before, because now it works.

                                            Thank you all for your input and suggestions.

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.