IPsec traffic goes over LAN interface
-
Fresh install of 2.5.2 Just a run of the mill IPsec site to site Ikev2, I can see the other side, (basically I all do is RDP into a computer) No overlapping IPs.
I was starting to lockdown my IPsec firewall rules when I noticed the rules weren't applying.
After some pings and watching logs all my IPsec traffic shows the LAN interface.
Not sure where I went wrong on this. I've reset states, rebooted and even reinstalled pf 2.5.2.
I did notice that if I filter the logs to to IPsec, some trickle of data is coming from the other side to "me" My traffic going "there" goes over the LAN interface.
-
When you say 'IPSec traffic' do you mean the encrypted tunnel traffic, UDP 500/4500 and ESP?
I would expect to see that on WAN.If you mean the traffic side the tunnel then if you opened the connection it will appear in the firewall logs on LAN, that's expected.
You will only see connections logged on the IPSec interface when something at the remote side opens it.
Steve
-
Right..heres more info.
Sites A and B.
Site B opens up RDP to a server on Site A. If I got to the firewall logs, I see the source IP and the destination ip and port listed in the LAN.Also what is odd, the Firewall IPsec rules aren't enforced.
If under the Firewall Rules Under the IPsec tab I put a deny rule in for Any Any Site B can still open up the RDP to the server at Site A
It's using the Firewall rules on the LAN tab.
-
You are talking about the firewall at site B I assume?
That's exactly what I would expect to see. In pfSense the firewall rule act on traffic coming into an interface and all traffic leaving an interface is permitted. The only exception to that is for floating rules.
See: https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html
Steve
-
@stephenw10
Yes Firewall B is what I was talking about. Thank you for the replies. While It explains the behavior I need to do more reading.Thank you
-
No worries. Please ask if we can clarify anything further for you.