LAN Traffic Being Blocked - Rules to Open Exist

TimmZahn

Hopefully someone can shed some light on my issue.

I have two pfSense routers. One is attached to my 10.0.14.0/24 network. One is attached to a 192.168.2.0/24 network. I can ping, trace and RDP (mostly) in both directions. However I cannot do other major traffic, such as DNS, file sharing, etc. from the 192.168.2.0/24 network into the 10.0.14.0/24 network. I have LAN rules set near the top to allow all traffic. I've been adding rules to allow specific traffic too, to no avail. The Firewall logs show the traffic being blocked, even though I have specifically allowed it to pass. I've even cleared the states.

For example, an RDP session from a PC in the 10.0.14.0/24 subnet will connect and show the remote server, but will periodically lose the connection, just to have it re-establish again in a minute or so. When this happens there are blocked line items in the Firewall logs between the two PC's on the 10.0.14.0/24 router.

Another example, I can see the Windows file shares on the 192.168.2.0/24 subnet, but going the other way (into the 10.0.14.0/24 subnet) the connection gets blocked by the firewall on the same 10.0.14.0/24 router.

Attached are screenshots of the rules and the logs.

I am totally pulling my hair out over this. Can someone shed some light on what I am missing?

Thanks,
Timm

Edit: Both routers/firewalls running pfSense 2.0.1 release.

fw_rules_1.png_thumb

fw_rules_2.png_thumb

fw_logs_1.png_thumb

fw_logs_2.png_thumb

podilarius

In the first set of logs there is 192.168.3 what netwok is that? What is the network between the 2 pfsense routers? Do you have the routes set correctly on each side? It seems like a piece of the puzzle is missing.

TimmZahn

The network on the other side of the VPN is 192.168.0.0/16 (Amazon VPC) with two subnets within, 192.168.2.0/24 (us-east-1b) and 192.168.3.0/24 (us-east-1c) - leaving 192.168.1.0/24 and 192.168.4.0/24 ready for the other two AWS availability zones. These two subnets appear to route through 192.168.0.1, along with using that address for DNS and DHCP.

So for the phase 2 tunnel I used the LAN for the local subnet, and 192.168.0.0/16 for the remote subnet, as I will need to reach both AWS VPC subnets in use now, as well as the two in the future.

When I add phase 2 tunnels for just the 192.168.2.0/24 and 192.168.3.0/24 remote subnets, they never initialize. 192.168.0.0/16 however does.

I'm baffled…

podilarius

What kind of VPN are you using?

TimmZahn

IPSec VPN to my Amazon VPC network.

podilarius

The 192.168.0/16 includes the other 2 networks, so those would never initialize as the traffic would try to be routed through the 192.168.0.0/16 (Amazon VPC).