Why can't I query SNMP, use syslog, NTP



  • Dear Forum,

    We setup a successful tunnel between 2 pfsense boxes and their subnets.

    We cannot ping to the subnet in the tunnel, and found this article:

    http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

    Our local subnet is 10.18.1.0/24 with pfsense at .1
    Our remote subnet is 10.5.1.0/24 with pfsense at .1

    Could not quite figure out the parameters to set from that article, but tried:

    • added gateway in (System:Gateways): BackToLan - LAN - 10.18.1.1
    • added route in (System:Static Routes): 10.5.1.0/24 - BackToLan - LAN

    Now ping shows weird errors: e.g

    gt3:~ dennis$ ping 10.5.1.201
    PING 10.5.1.201 (10.5.1.201): 56 data bytes
    36 bytes from fw-office.webappz.int (10.18.1.1): Redirect Host(New addr: 10.5.1.201)
    Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
    4  5  00 0054 a2d8  0 0000  40  01 c029 10.18.1.200  10.5.1.201

    Request timeout for icmp_seq 0
    36 bytes from fw-office.webappz.int (10.18.1.1): Redirect Host(New addr: 10.5.1.201)
    Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
    4  5  00 0054 abb5  0 0000  40  01 b74c 10.18.1.200  10.5.1.201

    Please help. Thanks.



  • Your description of the route seems ok, but those redirects indicate it's not. You don't need a route at all for LAN to LAN traffic to function, only for traffic initiated by the firewall itself and only where you don't specify the source IP. Sounds like you have something else wrong there, maybe missing firewall rules on IPsec.



  • Hi Cmb,

    Thanks for you response. So we don't need to do this gateway+route trick for inter-tunnel pings?
    The ping was from a local machine to a remote machine. Before the trick, it would give 100% packet loss only.
    Like mentioned before, the other tunnel traffic had works fine, even before we put this silly trick in.

    In Firewall: Rules: IPSec, we have
        TCP - 10.5.1.0/24 - * - * - * - * - none -  - Tunnel

    Please help in getting ping, snmp, etc. working through the tunnel. Thanks.



  • First get rid of the static route as that isn't needed to ping and if it's wrong as it looks to be it may be breaking things.

    Check if the traffic is getting blocked in the firewall logs, if it is, your IPsec rules aren't permitting the traffic.



  • :)
    Hi cmb,

    Yes; that was the problem.

    I got rid of the silly route and gateway, and changed the IPSec rule for protocol any (*) instead of just TCP, and that solved it. Maybe, pfsense could recommend 'any' as a default protocol for IPSec firewall rules.

    Thanks so much.

    Alfredo


Log in to reply