Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec tunnel causes pfsense to ignore traffic from one interface

    IPsec
    1
    1
    640
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rainest last edited by

      I'm trying to use a remote machine (let's call it "swan") as a pseudo internet gateway, i.e. my internet-bound traffic would normally flow local machine->pfsense->ISP gateway-> internet; with the tunnel it flows local machine->pfsense->ISP gateway->swan->internet. I've created an IPSec tunnel between the two: pfsense advertises 192.168.0.0/16 and swan advertises 0.0.0.0/0. This works well enough–swan can talk to machines in 192.168.0.0/16, and those machines can talk to internet hosts, which see all traffic as originating from swan.

      pfsense has two LAN interfaces, 192.168.1.1 for wired and 192.168.2.1 for wireless. Both have the same sets of default rules/NAT, though the wired has an additional anti-lockout rule. Everything works fine if the tunnel is down, but if it's up, pfsense ignores traffic originating from 192.168.2.0/24 destined for its addresses, unless it initiated the connection.

      For example, if I set up simple TCP servers using netcat on both pfsense and host in 192.168.2.0/24 ("bob"), I should be able to establish a connection from pfsense to bob and vice-versa, and I can if the tunnel is down--both are able to contact each other and complete the TCP handshake. However, if the tunnel is up, pfsense can successfully connect to/handshake with bob, but if bob tries to initiate a connection, nothing happens. I see bob's SYNs come in if I tcpdump the pfsense wlan interface, but they're never answered. Clearly there's nothing wrong with the link, otherwise I'd never see the packets come in and it wouldn't be possible to establish a connection from pfsense to bob.

      Hosts on the wired interface are able to talk to pfsense just fine. What am I missing/why are hosts on wlan ignored if the IPSec tunnel is up?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post