No traffic from pfsense itself.
-
have the configuration shown in the picture, and everything works like a charm: internet access, OpenVPN, IPsec with BGP routing.
However, when configuring the proxy with LDAP authentication, I've encountered a problem. The pfSense itself is unable to reach the Active Directory at AWS, not only this, but nothing on any subnet there (no ping, no traceroute to the first hop, nothing). This issue occurs only from the pfSense itself.
It's not the security group at the AWS side, as I've tested with "all traffic," and other hosts on the same pfSense subnet (and others at the enterprise side, even openvpn) can access it with no problem.
I've checked the firewall logs, and no blocks are shown from the pfSense LAN IP to any subnet on the AWS side.
Any advice?
-
@bonilha
You will have to configure a Static Route Workaround to access a service on the remote site from pfSense itself. -
@viragomann Hello!
Thank you for your reply, but it doesn't apply to my case. In fact, as I see it, it doesn't make sense.
I use dynamic routing (BGP) / VTI for the IPsec VPN site-to-site on AWS. The article says that it does not apply to VTI (dynamic routing), an it's correct.
The on-premises network also uses BGP (from a Cisco device).
The Cisco router at the on-premises site propagates routes to pfSense, and the AWS VPN site-to-site does the same.Adding a static route in this scenario would render the dynamic routing and its redundancy useless.
And this scenario is giving me headaches because everything does what it's supposed to do, except pfSense itself.
-
@bonilha
That's correct, this is not useful for a VTI IPSec connection. But you didn't mention that it's a VTI before.So in this case, the static route should be sufficient to route traffic from pfSense itself to the remote site.