Internet access from remote site

joyfulway

Hi,

we are currently running pfsense 1.2.3-RC1 on 2 sites:  1 Head Office (HQ)  and a remote site.
The 2 sites are linked using IPsec over a radio link. The only internet access is provided at the HQ.

I`d like to give Internet access to the remote site via the HQ.
So far, the 2 sites are connected properly i.e the routes are ok.
Using tcpdump on the HQ OPT1 interface, I can see DNS/HTTP requests coming from the remote site but nothing is coming back.

HQ
LAN - Lan subnet
WAN - Internet connexion
OPT1 - link to remote location

Remote site
LAN - Lan subnet
WAN - link to HQ

Is there, on the HQ router, any NAT (outbound ?) settings or specific routes to be added for the packets to be forwarded from the OPT1 interface to the WAN and then to the Internet ?

Thanks,
Bastien

danswartz

can you post your rules?  (specifically outbound)

joyfulway

Hi,

and thanks !

the only outbound rules I have are the ones automatically generated by pfsense:
Firewall: NAT: Outbound -> Automatic outbound NAT rule generation (IPsec passthrough)

Here there are, on my HQ pfSense router. (41.211.4.132 is the remote IPSec router)

pfsense:~#  pfctl -s all | grep outbound
pass out quick on vr1 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
pass out quick on ng0 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
pass out quick on vr1 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
pass out quick on ng0 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
pass out quick on vr2 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
pass out quick on vr2 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
pass out quick on vr3 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
pass out quick on vr3 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
IPSEC: - outbound isakmp 759 0 0 0 0 0 0
IPSEC: - outbound isakmp 759 0 0 0 0 0 0
IPSEC: - outbound esp proto 759 0 0 0 0 0 0
IPSEC: - outbound esp proto 759 0 0 0 0 0 0
IPSEC: - outbound isakmp 759 0 0 0 0 0 0
IPSEC: - outbound esp proto 0 0 0 0 0 0 0
IPSEC: - outbound isakmp 759 0 0 0 0 0 0
IPSEC: - outbound esp proto 0 0 0 0 0 0 0

joyfulway

Hi,

for those who might be interested, the problem has been solved by creating an OUTBOUND rule for the OPT1 subnet on the HQ router.

Bastien

danswartz

Ah, you beat me to it :)

joyfulway

Thanks anyway ! Asking me to post the Outbound rules made me think !