• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Why can't I query SNMP, use syslog, NTP

Scheduled Pinned Locked Moved Routing and Multi WAN
5 Posts 2 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    alfredo
    last edited by Jan 30, 2012, 9:13 PM

    Dear Forum,

    We setup a successful tunnel between 2 pfsense boxes and their subnets.

    We cannot ping to the subnet in the tunnel, and found this article:

    http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

    Our local subnet is 10.18.1.0/24 with pfsense at .1
    Our remote subnet is 10.5.1.0/24 with pfsense at .1

    Could not quite figure out the parameters to set from that article, but tried:

    • added gateway in (System:Gateways): BackToLan - LAN - 10.18.1.1
    • added route in (System:Static Routes): 10.5.1.0/24 - BackToLan - LAN

    Now ping shows weird errors: e.g

    gt3:~ dennis$ ping 10.5.1.201
    PING 10.5.1.201 (10.5.1.201): 56 data bytes
    36 bytes from fw-office.webappz.int (10.18.1.1): Redirect Host(New addr: 10.5.1.201)
    Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
    4  5  00 0054 a2d8  0 0000  40  01 c029 10.18.1.200  10.5.1.201

    Request timeout for icmp_seq 0
    36 bytes from fw-office.webappz.int (10.18.1.1): Redirect Host(New addr: 10.5.1.201)
    Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
    4  5  00 0054 abb5  0 0000  40  01 b74c 10.18.1.200  10.5.1.201

    Please help. Thanks.

    1 Reply Last reply Reply Quote 0
    • C
      cmb
      last edited by Jan 30, 2012, 11:31 PM

      Your description of the route seems ok, but those redirects indicate it's not. You don't need a route at all for LAN to LAN traffic to function, only for traffic initiated by the firewall itself and only where you don't specify the source IP. Sounds like you have something else wrong there, maybe missing firewall rules on IPsec.

      1 Reply Last reply Reply Quote 0
      • A
        alfredo
        last edited by Jan 31, 2012, 12:39 AM

        Hi Cmb,

        Thanks for you response. So we don't need to do this gateway+route trick for inter-tunnel pings?
        The ping was from a local machine to a remote machine. Before the trick, it would give 100% packet loss only.
        Like mentioned before, the other tunnel traffic had works fine, even before we put this silly trick in.

        In Firewall: Rules: IPSec, we have
            TCP - 10.5.1.0/24 - * - * - * - * - none -  - Tunnel

        Please help in getting ping, snmp, etc. working through the tunnel. Thanks.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by Jan 31, 2012, 12:45 AM

          First get rid of the static route as that isn't needed to ping and if it's wrong as it looks to be it may be breaking things.

          Check if the traffic is getting blocked in the firewall logs, if it is, your IPsec rules aren't permitting the traffic.

          1 Reply Last reply Reply Quote 0
          • A
            alfredo
            last edited by Jan 31, 2012, 2:15 AM

            :)
            Hi cmb,

            Yes; that was the problem.

            I got rid of the silly route and gateway, and changed the IPSec rule for protocol any (*) instead of just TCP, and that solved it. Maybe, pfsense could recommend 'any' as a default protocol for IPSec firewall rules.

            Thanks so much.

            Alfredo

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received