Reconfigure of pfSense upstream appliance
-
We have pfsense sitting in front of a network that talks to AWS. In front of that we have a Meraki appliance that we are replacing with Sophos. When we mde the switch we found one of the boxes on the network that pfsense manges can no longer talk up to AWS. We have been on the phone with Sophos to see if there is any reason that appliance is blocking the communication and during testing this morning setup a bridge between the two devices but that doesn't seem to have helped. We are also currently engaged with a network specialist but haven't made any progress yet.
Some facts:
- From my local, using our VPN, I can ping a box in AWS, "Box AWS"
- From AWS, I cannot ping the box we need that is in our network, "Box Us 1"
- From AWS, I can ping a separate box in the same /24 as the above box, "Box Us 2"
- From pfSense, I can ping "Box Us 2"
- From pfSense, I cannot ping "Box Us 1"
Not a network professional so please excuse any details that should have been listed. Looking for some thoughts on next steps for us to review. Can provide additional details as necessary.
Thanks!
-
Hmm, that seems like a problem on Box Us 1 unless you have specific rules to block access to it in pfSense.
If it responds to ping at all pfSense should be able to ping it from it's interface in the subnet. Unless I've misunderstood the network layout.Does 'Box Us 1' appear in the pfSense ARP table? Does 'Box Us 2'?
Steve
-
Thanks Steve. "Box Us 1" was in the ARP table but "Box Us 2" was not. We were able to get it working, (note I didn't say "we figured out the issue" haha), which included adding an outbound NAT rule that allowed traffic.
We now have a secondary issue: "Box Us 1" is a DB and now AWS can talk to it. Great. We don't have bidirectional communication though apparently and the DB needs to be able to talk to a service up in our AWS VPC. We have been reviewing the issue and the only thing that seems odd at this point is the following entry we see in the Routes table, thoughts?
Destination Gateway Flags Use Mtu Netif Expire
######## 169.254.68.9 UG1 2324 16384 lo0Is this route saying that that destination "#######", which is a CIDR in the private IP range in AWS, is not going out? If so, what should we look at for trying to change that?
Thanks for the help!
-
That looks like you have a VPN from pfSense to the AWS VPC?
AWS use APIPA addresses for the VPN tunnel subnet to route across so that may be expected.If you can make connections from AWS to the local DB server then it probably has a route back in order to reply. Unless the outbound NAT you added was on the internal pfSense interface. In that case the traffic from AWS appears to be local so it can reply but it can never open connections the other way.
If you need to do that then you need to fix the routing issue rather than masking it with OBN.Almost certainly the DB server has a bad or missing default route.
Steve