Large Subnet Routing Issue



  • Hi,

    after updating from 2.1.5 to 2.2 our IPSec tunnel had multiple issues.
    I stripped it down to using one P2 (multiple P2 on ikev1 didn't work anymore) entry which is fine using a large subnet 172.16.0.0/15.
    For clients in LAN only traffic in the 172.16.X.X range is getting through the tunnel, traffic for 172.17.X.X is not passing.
    Firewall is set to allow all traffic from LAN to everywhere.

    The tunnel works, if I login to pfSense via SSH and use ping with the LAN sender address I can ping the 172.17.X.X range.

    Does anyone have an idea what is going on?

    Thanks
    Sven



  • VPN clearly works in that case. Ping across from a client on the LAN and trace the traffic - packet capture on LAN, see if it's there. Then on IPsec interface. If it's on both of those, then start looking at the remote end as it's probably dropping the traffic in question since you do see it leaving that end.

    The last of the multi-P2 issues that still exist in 2.2.2 seem to be fixed by applying this:
    https://github.com/pfsense/pfsense/commit/afd0c1f2c9c46eaa8e496e98bea8a8e0887d504f
    if you do need to go back to using multiple P2s for some reason. The symptoms as you describe them wouldn't be reason to do so given the VPN works, more FYI.



  • I traced the traffic I can capture it on the LAN but it never shows up on the IPSec interface.
    So the problem must be local to the pfSense 2.2.2.

    Thanks for the info for the multi P2, it is not necessarily required if it works with the large subnet in a single P2.

    Any other ideas to find the problem?
    I double checked all firewall rules, I also temporarily added a allow all to all on LAN and IPSec in the firewall but that didn't help either.



  • I found the issue, was a typo on my site with the subnet masks in one of my aliases I used in a firewall rule.