Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Google VPN / VTI / everything works except ping from pfsense

    IPsec
    2
    3
    68
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • cukal
      cukal last edited by

      I've setup an IPSec / VTI tunnel (2.4.5p1) to Google VPN and everything pretty much works (from lan to VPC) except for pinging a VM instance from pfsense.

      Packet capture on pfsense:

      00:10:54.219472 IP 169.254.40.1 > 10.132.0.2: ICMP echo request, id 59191, seq 0, length 64
00:10:55.219551 IP 169.254.40.1 > 10.132.0.2: ICMP echo request, id 59191, seq 1, length 64
00:10:56.221004 IP 169.254.40.1 > 10.132.0.2: ICMP echo request, id 59191, seq 2, length 64

      tcpdump on the gc vm instance shows it does receive the requests and sends replies:

      22:12:23.976986 IP 169.254.40.1 > 10.132.0.2: ICMP echo request, id 42660, seq 0, length 64
22:12:23.977267 IP 10.132.0.2 > 169.254.40.1: ICMP echo reply, id 42660, seq 0, length 64

      But I don't receive the reply on pfsense, nor do I see it in the packet capture on pfsense.

      I tried adding 169.254.40.1/32 as a route in the VPC but that didn't change anything.

      Anyone any ideas?

      1 Reply Last reply Reply Quote 0
      • Rico
        Rico LAYER 8 Rebel Alliance last edited by

        169.254.0.0/16 is Link Local and AFAIK not routed by FreeBSD/pfSense.

        -Rico

        1 Reply Last reply Reply Quote 0
        • cukal
          cukal last edited by cukal

          Tried resolving it with TAC but to no avail. Enabling APIPA didn't change anything. I'm not sure where the problem lies but I'm guessing the VPC is refusing to route 169.254.x.x as it's strictly speaking not within a defined VPC route. I've noticed in another issue that any packet with an RFC1918 target ip without a defined route and an available target instance or VPN route with that RFC1918 range gets blocked straight after egress from the vm instance.

          Traffic from pfsense LAN networks works flawless but the reason I need a ping from pfsense is because I'm running a blackbox_exporter on pfsense to monitor the IPSec tunnel by pinging the remote GC vm instance.

          I worked around it by adding a VPC route to pfsense LAN1/32 address with the tunnel as gateway allowing only ICMP and added a blackbox_exporter icmp config with the LAN1/32 ip as source_address. That way the ping requests arrives at the GC instance with LAN1/32 source ip and the reply gets accepted because there's a defined VPC route and gets send through the tunnel.

          Gr.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy