IPSec No traffic passed from LAN but traffic passed from router
I have an IPSec tunnel setup between my WAN IP –> WAN IP in PFSense if I ping the remote WAN IP from the router I can pass traffic as expected however from the LAN I can not pass any traffic to the far side WAN
PFSense 2.0 Beta 5
Router WAN 173.x.x.x
Router LAN 192.168.50.0/24
Router IPSec Config
Remote Gateway 67.x.x.x
Local Subnet 173.x.x.x/28
Remote Subnet 206.x.x.x/24
Trying to do LANPC(192.168.50.x) --> PFSense(192.168.50.1) --> IPSec(206.x.x.x) = No Traffic
PFSense(cmd ping -S 173.x.x.x 206.x.x.x) --> IPSec(206.x.x.x) = Traffic
PFSense(cmd ping -S 192.168.50.1 206.x.x.x) --> IPSec(206.x.x.x) = No Traffic
I am thinking I will need to add an additional NIC and a new PFSense box that is not NAT'ing and bring the connection up on that box then do a rule on the NAT'ing box to point to that interface when I need to talk to the remote WAN but I am not sure if that is the right way to go or if I can somehow do this inside this single config.
Any help would be awesome.
Have you set up a rule under IPsec to allow all traffic?
I do have a rule setup however it is still not passing any traffic if the traffic originates from the LAN interface only of the traffic is generated from the PFSense box it's self
How is are your NAT rules setup?
Is the pfSense box the gateway for the systems on LAN? If you do a packet capture on LAN do you see the traffic from the local machines coming in LAN and still not hitting the tunnel?
That is correct the PFSense box is the gateway for the LAN
Config was PFSense Box
NIC1 WAN1 – VPN to Public Network
NIC2 WAN2 -- Load Balance to WAN1
NIC3 LAN -- Internal Network
Yes I was able to see the packets on the LAN side but they always tried to go out the WAN1 interface not the IPSec tunnel - I have added a 2nd PFSense Box now and it's working as expected
NIC1 = WAN1 (/28 Network Public)
NIC2 = WAN2 (/28 Network Public)
NIC3 = VPN Link (/30 Network Public)
NIC4 = LAN (/24 Network Internal)
NIC1 = WAN1 / VPN Public (/28 Network Public)
NIC2 = VPN Link to 1st Server (/30 Network Public)
Now when I send traffic to that subnet I added a rule to send all traffic out VPNGW on the 1st router and it's passing it to the VPN box (2nd router) then passing along to the VPN Subnet as expected