Internet access from remote site



  • Hi,

    we are currently running pfsense 1.2.3-RC1 on 2 sites:  1 Head Office (HQ)  and a remote site.
    The 2 sites are linked using IPsec over a radio link. The only internet access is provided at the HQ.

    I`d like to give Internet access to the remote site via the HQ.
    So far, the 2 sites are connected properly i.e the routes are ok.
    Using tcpdump on the HQ OPT1 interface, I can see DNS/HTTP requests coming from the remote site but nothing is coming back.

    HQ
    LAN - Lan subnet
    WAN - Internet connexion
    OPT1 - link to remote location

    Remote site
    LAN - Lan subnet
    WAN - link to HQ

    Is there, on the HQ router, any NAT (outbound ?) settings or specific routes to be added for the packets to be forwarded from the OPT1 interface to the WAN and then to the Internet ?

    Thanks,
    Bastien



  • can you post your rules?  (specifically outbound)



  • Hi,

    and thanks !

    the only outbound rules I have are the ones automatically generated by pfsense:
    Firewall: NAT: Outbound -> Automatic outbound NAT rule generation (IPsec passthrough)

    Here there are, on my HQ pfSense router. (41.211.4.132 is the remote IPSec router)

    pfsense:~#  pfctl -s all | grep outbound
    pass out quick on vr1 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
    pass out quick on ng0 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
    pass out quick on vr1 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
    pass out quick on ng0 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
    pass out quick on vr2 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
    pass out quick on vr2 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
    pass out quick on vr3 inet proto udp from any to 41.211.4.132 port = isakmp keep state label "IPSEC: - outbound isakmp"
    pass out quick on vr3 inet proto esp from any to 41.211.4.132 keep state label "IPSEC: - outbound esp proto"
    IPSEC: - outbound isakmp 759 0 0 0 0 0 0
    IPSEC: - outbound isakmp 759 0 0 0 0 0 0
    IPSEC: - outbound esp proto 759 0 0 0 0 0 0
    IPSEC: - outbound esp proto 759 0 0 0 0 0 0
    IPSEC: - outbound isakmp 759 0 0 0 0 0 0
    IPSEC: - outbound esp proto 0 0 0 0 0 0 0
    IPSEC: - outbound isakmp 759 0 0 0 0 0 0
    IPSEC: - outbound esp proto 0 0 0 0 0 0 0



  • Hi,

    for those who might be interested, the problem has been solved by creating an OUTBOUND rule for the OPT1 subnet on the HQ router.

    Bastien



  • Ah, you beat me to it :)



  • Thanks anyway ! Asking me to post the Outbound rules made me think !


Log in to reply