Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Firewall Rule Query

    Firewalling
    2
    3
    308
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Delodien
      last edited by

      Morning all,

      Come across a strange issue when it comes to the firewall on one of our pfSense units, a quick setup description below:

      Virtual pfSense appliance controlling the head office, the head office then has 4 different sites connecting into it via IPsec VPN's, 3 of these sites are controlled by WatchGuards, the 4th by a Draytek.

      The IPsec tunnels were working fine, traffic passed through correctly both ways as we would expect and a packet capture showed this was the case too.

      This customer has a piece of software sitting on the head office (behind the pfSense) which talks to devices at the remote sites and sends them data to refresh price lists etc. for all intents and purposes, this software was functioning correctly for the most part, it could establish connections to the databases (SQL) at the remote sites fine, and testing with SSMS would work too, however when the software itself tried to push data it would fail with timeout errors, we obviously immediately thought it was the software at fault.

      After various troubleshooting was completed, and packets were captured and showed traffic flowed seemingly correctly I decided to try setup some floating rules on the pfSense itself, so set up one rule to allow traffic from the remote site into head office, and another rule doing the opposite, I set this to the LAN and IPSec interfaces, as soon as I did this, everything started working at this remote site.

      The confusion (and my query) comes into it with the below:

      Two of the four remote sites were working absolutely fine, data was transferred as we expect, however two were not (one WatchGuard, one Draytek) we also had in place a firewall rule under the IPsec heading that is essentially allowing everything (* source, * destination, * port)

      Am I missing something or getting confused about how the firewall rules in the pfSense are working?

      Any input would be appreciated as I'm at a bit of a loss with this one!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Delodien
        last edited by

        @delodien
        Consider that also the remote sites have to allow inbound traffic, when the head office is initiating the connection.

        On the head office IPSec interface you can only allow inbound traffic initiated from the remote site, respectively with floating rules you can also restrict outbound.

        D 1 Reply Last reply Reply Quote 0
        • D
          Delodien @viragomann
          last edited by

          @viragomann
          So the setup was as such that the pfSense was the initiator in this case.

          Each remote site had a rule respectively to allow traffic to and from the head office local network and this seemingly worked as pings were allowed to traverse the VPN correctly.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post