Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking between LAN/IPSec interfaces

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 1 Posters 612 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      test_monkey
      last edited by

      Hi,
      I have just set up multiple VLAN interfaces on my PFsense box and am having a bit of trouble with traffic being blocked.
      IPsec network = 192.168.2.0/24
      VLAN Interface (OOB) network = 192.168.230.0/24

      I have set a basic allow any rule for both interfaces
      IPv4 * * * * * * none

      Despite this, traffic is still getting blocked with a "Default deny rule IPv4"
      Any ideas as to why the traffic not match the allow all rule?
      I have included a log screencap of the blocks I am seeing
      It looks as if the traffic is able to get from the IPsec interface to LAN but not back

      Any tips would be much appreciated
      Capture.PNG
      Capture.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • T
        test_monkey
        last edited by

        As I work more on this I have a possible lead.

        My phase 2 for the IPSec connection specifies the VLAN i am connecting to.
        Right now I have the IPSec server giving my client an address from the network 192.168.2.0/24 and it is connecting me to the VLAN with a network of 192.168.210.0/24

        The VLAN I am having trouble accessing from the IPSec interface has a network of 192.168.230.0/24 (shows as OOB in the previous log screenshot)
        I assumed that given the allow all rules present on each interface that even though IPSec phase 2 specifies that I am connected to the 192.168.210.0/24 network, I would still have access to 192.168.230.0/24
        Perhaps I am wrong on this.
        As a side note. If i ssh to a host on the 192.168.210.0/24 network, I can use that host to access the 192.168.230.0/24 network without an issue. This leads me to believe I have an issue with how my IPSec server is setup.

        1 Reply Last reply Reply Quote 0
        • T
          test_monkey
          last edited by

          Ok,
          After doing some more research I have found the answer.
          In order to route correctly between VLANS when using an IPSec tunnel I needed to add additional phase 2 entries on my IPSec server config that specified each additional VLAN I needed to access.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.