Weird IPSEC tunnel issue.
-
Have you tried setting the static port option?
I had a problem where i couldnt connect to VNC clients without the static port.Also before you try a port redirect: is the direct port-forward working?
Is the firewall rule correct for the port-forward?
NAT is before the firewall. So the rule has to allow the port which is on the client open and not the port which is open on pfSense.EDIT: d'oh i kind of totally missed that the traffic is over the IPSEC tunnel ^^"
-
There is no need for a static port or NAT through an IPsec tunnel. The reason for using a IPsec tunnel is to secure two networks together. In the process of doing so both endpoints know of the remote private networks and can route traffic destined to the remote network via the tunnel. Again the remote side is running a Sonicwall box and I have two boxes to test with on my side, both of which are identical with the exception that one is running monowall the other pfsense. Both establish the tunnel properly both have identical rule sets but the pfsense will refuse to send or receive traffic on only those two IPs that I can tell so far. I haven't tried to connect to more than the 10 IPs I have tested there. There are 70 units there and I would guess if it is acting up for 2 out of the 10 I have tested thus far there will probably be more that are being blocked. It just so happens that those 2 are vital servers that I need to get too on a daily basis.
-
Check pftop from the shell and/or disgnostics>states to see what happens to connections to these hosts.
-
I'm surprised, no one has a clue what is causing this??
-
Same problem here.
After resetting the tunnel it works for a while and then dies again.
Hope to see a solution soon -
Check pftop from the shell and/or disgnostics>states to see what happens to connections to these hosts.
If you don't know what I ask you for and provide more info I can't help you ::)
-
Hi Hoba and all the others….
I think i got the solution:
Check you´re WAN´s MTU on both sides.
In my case i use 2 different ISP´s:
1st ISP: T-Systems BAIP 1,3 Mbit synchron permanent link MTU 1500
2nd ISP: BREISNET ADSL 800 synchron PPPOE link MTU 1450I just put a MTU of 1450 @ the BAIP WAN and RDP works.
Please let me know if this helps.
Thanks Chris
-
Actually if this is an mtu problem we might already have fixed it in an upcoming version where pfSense will deal a bit differently for mtu's for traffic inside ipsec tunnels.
http://cvstrac.pfsense.org/chngview?cn=22244
-
Ok nice to hear but what is now?
I need a fast solution. because unfortunatly it is not a stable solution i posted before.It works for some time but everytime the ISP changes the routes behind it goes down.
-
Try to lower the mtu of the clients that are not working.