Zabbix Proxy + IPSEC Problem: Local VIP to Remote IP not working.
-
Guys, good afternoon.
I have the following problem in pfSense:The Service for package Zabbix Proxy not want to go up.
The scenario is as follows:
- pfSense has a IPSEC VPN with Zabbix Server
Zabbix IP is 192.168.1.248
- pfSense has a VIP (Virtual IP) linked to pfSense, which is what Zabbix Server will use to communicate on Phase 2 of IPSEC
Virtual IP is 172.16.250.10
- If i go to Diagnostics > Test Port and select interface VIP 172.16.250.10 and try to connect on 192.168.1.248:10052 (Which is the port Zabbix Server is listening)
i get a SUCCESS message, but if i don't specify a interface, i get a connection error message
When i try to start Zabbix Proxy service, it reports that the Zabbix Server IP is unavailable (Unable to connect to 192.168.1.248:10052...)
So, i believe that the route that Zabbix Proxy is trying to do is NOT through the VIP.So that's why it's not getting a success message when connecting to the Proxy.
I believe that the Zabbix Proxy service in pfSense is getting a different interface than the VIP one...I am almost sure that i must have to do some Outbound NAT. I even managed to do one according to the image below, but it's not working.
My logic when creating this NAT below (I don't know if I made the rule correctly): Every connection attempt on IP 192.168.1.248 on port 10052, use the VIP interface.
Please, how can i explicity and globally say to pfSense that "All tries on 192.168.1.248:10052 outbound route uses interface VIP address 172.16.250.10" ?
Or if this is not the solution, what can i do ?
- pfSense has a IPSEC VPN with Zabbix Server
-
It's this:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.htmlYou can't NAT the traffic to make it match a policy based IPSec tunnel. Only that static route workaround will work there.
Steve
-
@stephenw10 Hello.
This didnt work.
This is exactly what i did:- Gateway LAN IP Firewall
Interface: LAN
GW: 192.168.1.253
Check Disable Gateway Monitoring - Static Route using gateway
Destination: Remote VPN IP (192.168.1.248)
Gateway: IPSecGW - Testing Connection
Diagnostics > Ping
Source: VIP (Local pfSense 172.16.250.10) other side is trying to communicate
Destination: Remote IP Destination (192.168.1.248)
Problem persists... Am i creating the routing wrong?
- Gateway LAN IP Firewall
-
That looks correct. The test I would want to see would be using test port but leaving the source address set to any. That should now succeed and was failing before.
What does the IPSec P2 actually carry there?
The problem you have here though is that the VIP is not the LAN. Is it in the LAN subnet?
Are you able to change Zabbix to use the LAN IP rather than the VIP?
Steve
-
It actually worked. I just had to change GW from 192.168.1.253 to the VIP 172.16.250.10.
Thanks for your help...
