Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Internet access from remote site

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joyfulway
      last edited by

      Hi,

      we are currently running pfsense 1.2.3-RC1 on 2 sites:  1 Head Office (HQ)  and a remote site.
      The 2 sites are linked using IPsec over a radio link. The only internet access is provided at the HQ.

      I`d like to give Internet access to the remote site via the HQ.
      So far, the 2 sites are connected properly i.e the routes are ok.
      Using tcpdump on the HQ OPT1 interface, I can see DNS/HTTP requests coming from the remote site but nothing is coming back.

      HQ
      LAN - Lan subnet
      WAN - Internet connexion
      OPT1 - link to remote location

      Remote site
      LAN - Lan subnet
      WAN - link to HQ

      Is there, on the HQ router, any NAT (outbound ?) settings or specific routes to be added for the packets to be forwarded from the OPT1 interface to the WAN and then to the Internet ?

      Thanks,
      Bastien

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        can you post your rules?  (specifically outbound)

        1 Reply Last reply Reply Quote 0
        • J
          joyfulway
          last edited by

          Hi,

          and thanks !

          the only outbound rules I have are the ones automatically generated by pfsense:
          Firewall: NAT: Outbound -> Automatic outbound NAT rule generation (IPsec passthrough)

          Here there are, on my HQ pfSense router. (41.211.4.132 is the remote IPSec router)

          pfsense:~#  pfctl -s all | grep outbound
          pass out quick on vr1 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
          pass out quick on ng0 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
          pass out quick on vr1 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
          pass out quick on ng0 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
          pass out quick on vr2 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
          pass out quick on vr2 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
          pass out quick on vr3 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
          pass out quick on vr3 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
          IPSEC: - outbound isakmp 759 0 0 0 0 0 0
          IPSEC: - outbound isakmp 759 0 0 0 0 0 0
          IPSEC: - outbound esp proto 759 0 0 0 0 0 0
          IPSEC: - outbound esp proto 759 0 0 0 0 0 0
          IPSEC: - outbound isakmp 759 0 0 0 0 0 0
          IPSEC: - outbound esp proto 0 0 0 0 0 0 0
          IPSEC: - outbound isakmp 759 0 0 0 0 0 0
          IPSEC: - outbound esp proto 0 0 0 0 0 0 0

          1 Reply Last reply Reply Quote 0
          • J
            joyfulway
            last edited by

            Hi,

            for those who might be interested, the problem has been solved by creating an OUTBOUND rule for the OPT1 subnet on the HQ router.

            Bastien

            1 Reply Last reply Reply Quote 0
            • D
              danswartz
              last edited by

              Ah, you beat me to it :)

              1 Reply Last reply Reply Quote 0
              • J
                joyfulway
                last edited by

                Thanks anyway ! Asking me to post the Outbound rules made me think !

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.