Zabbix Proxy + IPSEC Problem: Local VIP to Remote IP not working.

RaulChiarella

Guys, good afternoon.
I have the following problem in pfSense:

The Service for package Zabbix Proxy not want to go up.

The scenario is as follows:

1. pfSense has a IPSEC VPN with Zabbix Server

   Zabbix IP is 192.168.1.248

2. pfSense has a VIP (Virtual IP) linked to pfSense, which is what Zabbix Server will use to communicate on Phase 2 of IPSEC

   Virtual IP is 172.16.250.10

3. If i go to Diagnostics > Test Port and select interface VIP 172.16.250.10 and try to connect on 192.168.1.248:10052 (Which is the port Zabbix Server is listening)
   i get a SUCCESS message, but if i don't specify a interface, i get a connection error message

When i try to start Zabbix Proxy service, it reports that the Zabbix Server IP is unavailable (Unable to connect to 192.168.1.248:10052...)
So, i believe that the route that Zabbix Proxy is trying to do is NOT through the VIP.

So that's why it's not getting a success message when connecting to the Proxy.
I believe that the Zabbix Proxy service in pfSense is getting a different interface than the VIP one...

I am almost sure that i must have to do some Outbound NAT. I even managed to do one according to the image below, but it's not working.

My logic when creating this NAT below (I don't know if I made the rule correctly): Every connection attempt on IP 192.168.1.248 on port 10052, use the VIP interface.

Please, how can i explicity and globally say to pfSense that "All tries on 192.168.1.248:10052 outbound route uses interface VIP address 172.16.250.10" ?

Or if this is not the solution, what can i do ?

stephenw10

It's this:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html

You can't NAT the traffic to make it match a policy based IPSec tunnel. Only that static route workaround will work there.

Steve

RaulChiarella

@stephenw10 Hello.

This didnt work.
This is exactly what i did:

1. Gateway LAN IP Firewall
   Interface: LAN
   GW: 192.168.1.253
   Check Disable Gateway Monitoring
2. Static Route using gateway
   Destination: Remote VPN IP (192.168.1.248)
   Gateway: IPSecGW
3. Testing Connection
   Diagnostics > Ping
   Source: VIP (Local pfSense 172.16.250.10) other side is trying to communicate
   Destination: Remote IP Destination (192.168.1.248)

Problem persists... Am i creating the routing wrong?

stephenw10

That looks correct. The test I would want to see would be using test port but leaving the source address set to any. That should now succeed and was failing before.

What does the IPSec P2 actually carry there?

The problem you have here though is that the VIP is not the LAN. Is it in the LAN subnet?

Are you able to change Zabbix to use the LAN IP rather than the VIP?

Steve

RaulChiarella

@stephenw10

It actually worked. I just had to change GW from 192.168.1.253 to the VIP 172.16.250.10.
Thanks for your help...