Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC VPN BGW320

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CyberTiVo
      last edited by

      Re: IPSEC VPN AT&T U-verse
      I decided to switch to AT&T fiber after I read about the hack to bypass the RG and work with pfSense; they show up and installed the new BGW320 instead of the by-passable BGW210, I was a little late to the party; However, the PassThrough option now has a checkbox to allow ESP packets. With it selected, my tunnels come up and I can ping the distant end. Unfortunately, ping is the only thing that works.
      Troubleshooting with tcpdump doesn't show any traffic to or from the remote host on the WAN interface being passed through from the RG, even though it works. Since tcpdump doesn't show traffic working, I can't use that as a tool to see why other ports (443, 8080, 8051, 22) don't; I'm stuck at this point

      C 1 Reply Last reply Reply Quote 0
      • C
        CyberTiVo @CyberTiVo
        last edited by

        @cybertivo One more piece of info, I see the packets make it to the host on the other end of the tunnel with tcpdump and the host replies; everything works fine with the Media Comm connection; both firewalls running 2.4.5p1

        C 1 Reply Last reply Reply Quote 0
        • C
          CyberTiVo @CyberTiVo
          last edited by CyberTiVo

          @cybertivo Ok, too much Holiday Eggnog; I am brain damaged; I was tcpdumping the WAN interface and, of course, didn't see the packets, as they are encrypted; packets make it thru the firewall to both LAN interfaces, but only ping works; web browsing to 8080, 443, 8989 don't work; Safari shows about 15% of the blue progress bar in the URL field then eventually times out; I will post a dump of the traffic in a bit; the AT&T BGW320 shows a state for the connection between the 2 firewalls

          C 1 Reply Last reply Reply Quote 0
          • C
            CyberTiVo @CyberTiVo
            last edited by CyberTiVo

            @cybertivo AT&T side of tunnel and where client is using web browser to connect to remote servers

            listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
            12:38:58.636779 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [SEW], seq 3115810592, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 408619134 ecr 0,sackOK,eol], length 0
            12:38:58.668556 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [S.E], seq 1974426754, ack 3115810593, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2989008682 ecr 408619134], length 0
            12:38:58.668967 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [.], ack 1, win 2058, options [nop,nop,TS val 408619165 ecr 2989008682], length 0
            12:38:58.670041 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [P.], seq 1:360, ack 1, win 2058, options [nop,nop,TS val 408619165 ecr 2989008682], length 359
            12:38:58.705410 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [P.], seq 1449:2023, ack 360, win 1027, options [nop,nop,TS val 2989008717 ecr 408619165], length 574
            12:38:58.706578 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [.], ack 1, win 2058, options [nop,nop,TS val 408619200 ecr 2989008682,nop,nop,sack 1 {1449:2023}], length 0

            Remote side of tunnel, where servers reside

            listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
            12:38:58.653204 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [SEW], seq 3115810592, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 408619134 ecr 0,sackOK,eol], length 0
            12:38:58.653471 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [S.E], seq 1974426754, ack 3115810593, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2989008682 ecr 408619134], length 0
            12:38:58.685362 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [.], ack 1, win 2058, options [nop,nop,TS val 408619165 ecr 2989008682], length 0
            12:38:58.686446 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [P.], seq 1:360, ack 1, win 2058, options [nop,nop,TS val 408619165 ecr 2989008682], length 359
            12:38:58.688642 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989008717 ecr 408619165], length 1448
            12:38:58.688684 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [P.], seq 1449:2023, ack 360, win 1027, options [nop,nop,TS val 2989008717 ecr 408619165], length 574
            12:38:58.722873 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [.], ack 1, win 2058, options [nop,nop,TS val 408619200 ecr 2989008682,nop,nop,sack 1 {1449:2023}], length 0
            12:38:58.986996 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989009016 ecr 408619200], length 1448
            12:38:59.384939 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989009414 ecr 408619200], length 1448
            12:39:00.006949 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989010036 ecr 408619200], length 1448
            12:39:01.009156 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989011038 ecr 408619200], length 1448
            12:39:02.792952 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989012822 ecr 408619200], length 1448
            12:39:06.164192 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989016193 ecr 408619200], length 1448
            12:39:12.700471 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989022729 ecr 408619200], length 1448
            12:39:25.573268 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989035601 ecr 408619200], length 1448

            C 1 Reply Last reply Reply Quote 0
            • C
              CyberTiVo @CyberTiVo
              last edited by

              @cybertivo I'm surprised no one is interested in coming up with a solution for using pfSense with the new AT&T Residential Gateway like the awesome work from MonkWho for the BGW210.

              P 1 Reply Last reply Reply Quote 0
              • P
                phatty @CyberTiVo
                last edited by

                @cybertivo did you ever get anywhere with this. I have some traffic passing but seems like traffic initiated from at&t end is where most of the problem lies.
                I thought static IPs would help, but no such luck so far. This same tunnel config was previously working when connected to cable modem.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.