pfsense+ AWS EC2 Asymmetric Routing Help
-
Hello,
I am experiencing what I believe is asymmetric routing with my setup.
The desired state is to have all outbound internet traffic in the remote VPC routed over the IPsec tunnel and connect to the internet from the onsite VPC. For those versed in AWS, VPC peering, nor transit gateway are an option for me, but rest assured they would have been my first pick.
My setup is as follows
- one "onsite" AWS VPC 10.0.0.0/21
- one "remote" AWS VPC 10.10.0.0/21
- A pfsense+ EC2 instance deployed in the onsite VPC w/ Elastic IP
- An AWS Virtual private gateway (VGW) in the remote VPC
- An AWS site-to-site VPN connection (IPsec) between the pfsense+ instance and the VGW
- A test instance in the remote VPC
I configured my pfsense+ instance following the video linked in the doc (https://www.netgate.com/resources/videos-routed-ipsec-on-pfsense-244). I am not using BGP, Just one static route to my remote VPC network.
So far everything is working as intended except for HTTPS traffic from the remote test instance to the internet. The IPsec tunnel is UP, I can communicate to/from instances in the onsite VPC from the remote VPC, and I can reach the internet from the the test instance in the remote VPC, but only over HTTP;
curl http://google.com
works,curl https://google.com
does not. When I try to curl an HTTPS site I see blocked TCP:A packets blocked by the 'Default deny rule IPv4'. My understanding that this is indicative of asymmetric routing. I have tried the "Automatic Fix" and the "Manual Fix" in the troubleshooting asymmetric routing section of the documentation (https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html?highlight=asymmetric).At this point I am not sure how best to proceed in troubleshooting this, any feedback is appreciated.
Thanks
-
@pczinser Not personally super experienced with pfSense in AWS, but wanted to at least try and help or get this topic a bit of a bump haha.
So, just to be clear, where are you seeing the default deny happen? In pfSense right? But on what interface in specific? I'd first be suspect of that and see if you can get the traffic to pass, but yes could be asymmetric for some reason.
Again, not a huge AWS person, but is there a reason the VPN is built with AWS and not setup within pfSense at each location itself?