Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Zabbix Proxy + IPSEC Problem: Local VIP to Remote IP not working.

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 943 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RaulChiarella
      last edited by

      Guys, good afternoon.
      I have the following problem in pfSense:

      The Service for package Zabbix Proxy not want to go up.

      The scenario is as follows:

      1. pfSense has a IPSEC VPN with Zabbix Server

        Zabbix IP is 192.168.1.248

      2. pfSense has a VIP (Virtual IP) linked to pfSense, which is what Zabbix Server will use to communicate on Phase 2 of IPSEC

        Virtual IP is 172.16.250.10

      3. If i go to Diagnostics > Test Port and select interface VIP 172.16.250.10 and try to connect on 192.168.1.248:10052 (Which is the port Zabbix Server is listening)
        i get a SUCCESS message, but if i don't specify a interface, i get a connection error message

      When i try to start Zabbix Proxy service, it reports that the Zabbix Server IP is unavailable (Unable to connect to 192.168.1.248:10052...)
      So, i believe that the route that Zabbix Proxy is trying to do is NOT through the VIP.

      So that's why it's not getting a success message when connecting to the Proxy.
      I believe that the Zabbix Proxy service in pfSense is getting a different interface than the VIP one...

      I am almost sure that i must have to do some Outbound NAT. I even managed to do one according to the image below, but it's not working.

      My logic when creating this NAT below (I don't know if I made the rule correctly): Every connection attempt on IP 192.168.1.248 on port 10052, use the VIP interface.

      aceeda59-2e6e-48f5-8231-e3716c2f48c1-image.png

      Please, how can i explicity and globally say to pfSense that "All tries on 192.168.1.248:10052 outbound route uses interface VIP address 172.16.250.10" ?

      Or if this is not the solution, what can i do ?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It's this:
        https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html

        You can't NAT the traffic to make it match a policy based IPSec tunnel. Only that static route workaround will work there.

        Steve

        R 1 Reply Last reply Reply Quote 1
        • R
          RaulChiarella @stephenw10
          last edited by

          @stephenw10 Hello.

          This didnt work.
          This is exactly what i did:

          1. Gateway LAN IP Firewall
            Interface: LAN
            GW: 192.168.1.253
            Check Disable Gateway Monitoring
          2. Static Route using gateway
            Destination: Remote VPN IP (192.168.1.248)
            Gateway: IPSecGW
          3. Testing Connection
            Diagnostics > Ping
            Source: VIP (Local pfSense 172.16.250.10) other side is trying to communicate
            Destination: Remote IP Destination (192.168.1.248)

          Problem persists... Am i creating the routing wrong?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            That looks correct. The test I would want to see would be using test port but leaving the source address set to any. That should now succeed and was failing before.

            What does the IPSec P2 actually carry there?

            The problem you have here though is that the VIP is not the LAN. Is it in the LAN subnet?

            Are you able to change Zabbix to use the LAN IP rather than the VIP?

            Steve

            R 1 Reply Last reply Reply Quote 1
            • R
              RaulChiarella @stephenw10
              last edited by

              @stephenw10

              It actually worked. I just had to change GW from 192.168.1.253 to the VIP 172.16.250.10.
              Thanks for your help...

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.