Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why can't I query SNMP, use syslog, NTP

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alfredo
      last edited by

      Dear Forum,

      We setup a successful tunnel between 2 pfsense boxes and their subnets.

      We cannot ping to the subnet in the tunnel, and found this article:

      http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

      Our local subnet is 10.18.1.0/24 with pfsense at .1
      Our remote subnet is 10.5.1.0/24 with pfsense at .1

      Could not quite figure out the parameters to set from that article, but tried:

      • added gateway in (System:Gateways): BackToLan - LAN - 10.18.1.1
      • added route in (System:Static Routes): 10.5.1.0/24 - BackToLan - LAN

      Now ping shows weird errors: e.g

      gt3:~ dennis$ ping 10.5.1.201
      PING 10.5.1.201 (10.5.1.201): 56 data bytes
      36 bytes from fw-office.webappz.int (10.18.1.1): Redirect Host(New addr: 10.5.1.201)
      Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
      4  5  00 0054 a2d8  0 0000  40  01 c029 10.18.1.200  10.5.1.201

      Request timeout for icmp_seq 0
      36 bytes from fw-office.webappz.int (10.18.1.1): Redirect Host(New addr: 10.5.1.201)
      Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
      4  5  00 0054 abb5  0 0000  40  01 b74c 10.18.1.200  10.5.1.201

      Please help. Thanks.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Your description of the route seems ok, but those redirects indicate it's not. You don't need a route at all for LAN to LAN traffic to function, only for traffic initiated by the firewall itself and only where you don't specify the source IP. Sounds like you have something else wrong there, maybe missing firewall rules on IPsec.

        1 Reply Last reply Reply Quote 0
        • A
          alfredo
          last edited by

          Hi Cmb,

          Thanks for you response. So we don't need to do this gateway+route trick for inter-tunnel pings?
          The ping was from a local machine to a remote machine. Before the trick, it would give 100% packet loss only.
          Like mentioned before, the other tunnel traffic had works fine, even before we put this silly trick in.

          In Firewall: Rules: IPSec, we have
              TCP - 10.5.1.0/24 - * - * - * - * - none -  - Tunnel

          Please help in getting ping, snmp, etc. working through the tunnel. Thanks.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            First get rid of the static route as that isn't needed to ping and if it's wrong as it looks to be it may be breaking things.

            Check if the traffic is getting blocked in the firewall logs, if it is, your IPsec rules aren't permitting the traffic.

            1 Reply Last reply Reply Quote 0
            • A
              alfredo
              last edited by

              :)
              Hi cmb,

              Yes; that was the problem.

              I got rid of the silly route and gateway, and changed the IPSec rule for protocol any (*) instead of just TCP, and that solved it. Maybe, pfsense could recommend 'any' as a default protocol for IPSec firewall rules.

              Thanks so much.

              Alfredo

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.