Tunnel IPsec working OK, cannot access remote host from local pfSense
-
We have a pfSense firewall (Network: 172.16.0.0/20) connected to a FortiGate firewall (Network: 172.16.16.0/20) using IPsec.
We can access hosts on the 172.16.16.0/20 network from any host on the 172.16.0.0/20 network, except from the pfSense firewall itself (em2: 172.16.2.1, VIP: 172.16.2.3).
The pfSense firewall has its default gateway set to the WAN interface. When we capture the traffic, we observe that:
[2.3.3-RELEASE][root@xxxx]/root: tcpdump -n -i em2 icmp and dst 172.16.19.14 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 65535 bytes 10:10:35.958694 IP wanip > 172.16.19.14: ICMP echo request, id 36519, seq 6, length 64 10:10:36.959840 IP wanip > 172.16.19.14: ICMP echo request, id 36519, seq 7, length 64 10:10:37.965529 IP wanip > 172.16.19.14: ICMP echo request, id 36519, seq 8, length 64
The traffic is being sent over the WAN interface.
We added a static route:
172.16.16.0/20 172.16.2.3 UGS 13332 1500 em1
However, now when we ping from any host in the 172.16.0.0/20 network, we encounter the following issue:
xxxxx:~$ ping 172.16.18.4 PING 172.16.18.4 (172.16.18.4) 56(84) bytes of data. From 172.16.2.1 icmp_seq=1 Redirect Host(New nexthop: 172.16.18.4) 64 bytes from 172.16.18.4: icmp_seq=1 ttl=62 time=4.87 ms From 172.16.2.1 icmp_seq=2 Redirect Host(New nexthop: 172.16.18.4) 64 bytes from 172.16.18.4: icmp_seq=2 ttl=62 time=5.04 ms From 172.16.2.1 icmp_seq=3 Redirect Host(New nexthop: 172.16.18.4) 64 bytes from 172.16.18.4: icmp_seq=3 ttl=62 time=5.35 ms
Could you please assist us in resolving this issue?
Thanks!
-
Errata: The Lan interface is em1: (em1: 172.16.2.1, VIP: 172.16.2.3).
em2 it's the wan interface
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.