Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense woes with new tunnel – packets going out WAN instead of through the tun

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      breakaway
      last edited by

      Hi All,

      I've got two routers at two sites with a bunch of IPSEC tunnels – a bunch of 172.16.0.0/16 (Local Site) and 172.17.0.0/16 (Remote Site) subnets. These IPSEC tunnels on the work fine between the local and remote sites. I am now required to add a new tunnel, this time with a different subnet.

      The local subnet is 192.168.2.0/24, the remote subnet (which I added and configured at the remote pfSense) is 192.168.3.0/24
      So I duplicated the PHASE 2 config and put all the settings in. The tunnel came up all fine and dandy. But when I try to ping 192.168.2.1 (pfsense at local end) from the remote end, I get destination host unreachable. So I trace it -- which shows that the packets are going out the WAN interface of my pfSense (i.e. my internet connection/default gateway).

      This happens at both ends -- both the local site and the remote sites. The packets are being forwarded out the default gateway instead of being sent through the tunnel.

      Any ideas on why this may be the case? I've double and triple checked the configs - I'm sure they're correct. Is it something simple that I may have missed?

      I've already tried the simple stuff like restarting racoon and restarting pfsense at both ends.

      Any help appreciated.

      1 Reply Last reply Reply Quote 0
      • D
        dew67
        last edited by

        If the phase I settings are good but the phase 2 settings don't match, the second tunnel won't come up. If the tunnel is down I expect the packets would route through the WAN interface.

        Under Status –> IPsec does it show the tunnel between 192.168.2.0 and 192.168.3.0 is up? If no, then check the IPSec logs to determine why the tunnel is not coming up.

        1 Reply Last reply Reply Quote 0
        • B
          breakaway
          last edited by

          Hi,

          Yes – the tunnel is definitely coming up (I've got a Green ">" next to the tunnel name) -- but yet the packets are going out WAN.

          I'm at a loss as to what this could be!

          1 Reply Last reply Reply Quote 0
          • M
            moo82
            last edited by

            Sorry if these are very basic steps.

            You say 192.168.2.1 is the local end pfsense. Is this a virtual IP on a relevant interface? Is the network mask 24 bit, or something else?

            I assume 192.168.3.1 is the remote end pfsense. Is this a virtual IP on a relevant interface? Is the network mask 24 bit? Replace 192.168.3.1 with whatever 192.168.3.x IP the remote end pfsense uses, if different.

            When the tunnel is up, try ping from the shell on local end pfsense.

            ping -c 1 192.168.2.1
            ping -c 1 -S 192.168.2.1 192.168.3.1

            Same from remote end shell:
            ping -c 1 192.168.3.1
            ping -c 1 -S 192.168.3.1 192.168.2.1

            The responses from ping could be informative. "Communication prohibited by filter" is logical if the packets leave via the WAN interface, and this interface blocks private networks.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.