Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Slave unable to reach out via IPSEC tunnel

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 954 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chopped_pork
      last edited by

      Hello,

      The subject is intentionally similar to this thread. I have had that problem and now solved it using the guide on the pfSense wiki.

      I have a set of CARP/failover firewalls (with network A behind them). I have set up a tunnel (with the external/WAN CARP IP being the endpoint on this side) to a public/routable subnet (that is, it's a /25 in the public IP space) - network B. I am able to reach everything in network A from network B - I've had issues with the slave but this is now sorted thanks to the outbound NAT rule. I can't reach network B from the firewalls though as they're trying to route the traffic via the Internet rather than over the VPN link. I have managed to solve this for the master firewall by using a LAN source IP. I can't seem to make this work on the slave though.

      One solution I have thought of was adding an outbound NAT rule reverse to the one mentioned in the forum thread and wiki article - nat anything coming from either firewall to the vpn subnet to the lan interface. Problem is, this would have to be a WAN rule and the 'Interface address' alias/option from drop down menu is going to resolve in WAN address. I've also thought of creating some ssh tunnels but ideally I would like the solution to be simpler and easier to failover (ie. implement it in a way where no extra scripts have to be written to successfully failover the firewalls apart from the carp/nat/ha sync configuration in pfSense).

      Any ideas on how I can make this happen? At the moment I only need this to send some client-side monitoring test results from the slave to the VPN subnet but I imagine there might be some other scenarios where this would be useful.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.