Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec traffic goes over LAN interface

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 700 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mrbostn
      last edited by

      Fresh install of 2.5.2 Just a run of the mill IPsec site to site Ikev2, I can see the other side, (basically I all do is RDP into a computer) No overlapping IPs.

      I was starting to lockdown my IPsec firewall rules when I noticed the rules weren't applying.

      After some pings and watching logs all my IPsec traffic shows the LAN interface.

      Not sure where I went wrong on this. I've reset states, rebooted and even reinstalled pf 2.5.2.

      I did notice that if I filter the logs to to IPsec, some trickle of data is coming from the other side to "me" My traffic going "there" goes over the LAN interface.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        When you say 'IPSec traffic' do you mean the encrypted tunnel traffic, UDP 500/4500 and ESP?
        I would expect to see that on WAN.

        If you mean the traffic side the tunnel then if you opened the connection it will appear in the firewall logs on LAN, that's expected.

        You will only see connections logged on the IPSec interface when something at the remote side opens it.

        Steve

        M 1 Reply Last reply Reply Quote 0
        • M Offline
          mrbostn @stephenw10
          last edited by

          @stephenw10

          Right..heres more info.

          Sites A and B.
          Site B opens up RDP to a server on Site A. If I got to the firewall logs, I see the source IP and the destination ip and port listed in the LAN.

          Also what is odd, the Firewall IPsec rules aren't enforced.

          If under the Firewall Rules Under the IPsec tab I put a deny rule in for Any Any Site B can still open up the RDP to the server at Site A

          It's using the Firewall rules on the LAN tab.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            You are talking about the firewall at site B I assume?

            That's exactly what I would expect to see. In pfSense the firewall rule act on traffic coming into an interface and all traffic leaving an interface is permitted. The only exception to that is for floating rules.

            See: https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html

            Steve

            M 1 Reply Last reply Reply Quote 1
            • M Offline
              mrbostn @stephenw10
              last edited by

              @stephenw10
              Yes Firewall B is what I was talking about. Thank you for the replies. While It explains the behavior I need to do more reading.

              Thank you

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                No worries. Please ask if we can clarify anything further for you. 👍

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.