From localhost to remote site



  • Hi!
    I have two sites 192.168.1.0 and 192.168.10.0, вetween them IKEv2 IPsec tunnel

    NET 192.168.1.0/24 –- 192.168.1.1 pfSense ----  INTERNET  ----- pfSense 192.168.10.1 --- NET 192.168.10.0/24

    Both pfsense is 2.2.4-RELEASE (amd64) built on Sat Jul 25 19:57:37 CDT 2015 FreeBSD 10.1-RELEASE-p15

    On pfSense address 192.168.10.1 I run ping 192.168.1.101 it gets results.

    PING 192.168.1.101 (192.168.1.101) from 127.0.0.1: 56 data bytes
    
    --- 192.168.1.101 ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss
    

    But if I run ping -S 192.168.10.1 192.168.1.101 it gets results.

    PING 192.168.1.101 (192.168.1.101) from 192.168.10.1: 56 data bytes
    64 bytes from 192.168.1.101: icmp_seq=0 ttl=127 time=41.846 ms
    64 bytes from 192.168.1.101: icmp_seq=1 ttl=127 time=42.019 ms
    64 bytes from 192.168.1.101: icmp_seq=2 ttl=127 time=44.452 ms
    
    --- 192.168.1.101 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 41.846/42.772/44.452/1.190 ms
    

    Traffic from localhost are not sent to the IPsec tunnel. How to fix it?


  • LAYER 8 Netgate

    How do you expect the remote side to route back to 127.0.0.1 when it has a local address of 127.0.0.1?



  • That's the expected behavior, you can't source traffic from 127.0.0.1 and send it anywhere.

    What you're probably wanting is this. Though that has no relation to sourcing from 127.0.0.1, just makes it source the traffic from an IP that will actually traverse the VPN.



  • I will explain.
    On pfsense (192.168.10.1) installed BIND and it loads the zone from the server 192.168.1.101.
    The error logs.

    Oct 28 07:05:03	named[96973]: zone xxx.ru/IN/net_10: refresh: retry limit for master 192.168.1.101#53 exceeded (source 0.0.0.0#0)
    Oct 28 07:05:03	named[96973]: zone xxx.ru/IN/net_10: Transfer started.
    Oct 28 07:05:03	named[96973]: zone yyy.ru/IN/net_10: refresh: retry limit for master 192.168.1.101#53 exceeded (source 0.0.0.0#0)
    Oct 28 07:05:03	named[96973]: zone yyy.ru/IN/net_10: Transfer started.
    Oct 28 07:06:18	named[96973]: transfer of 'xxx.ru/IN/net_10' from 192.168.1.101#53: failed to connect: timed out
    Oct 28 07:06:18	named[96973]: transfer of 'xxx.ru/IN/net_10' from 192.168.1.101#53: Transfer completed: 0 messages, 0 records, 0 bytes, 74.999 secs (0 bytes/sec)
    Oct 28 07:06:18	named[96973]: transfer of 'yyy.ru/IN/net_10' from 192.168.1.101#53: failed to connect: timed out
    Oct 28 07:06:18	named[96973]: transfer of 'yyy.ru/IN/net_10' from 192.168.1.101#53: Transfer completed: 0 messages, 0 records, 0 bytes, 74.999 secs (0 bytes/sec)
    

    Scenarios is a very simple, but impossible to pfSense?
    We need additional settings, like this  https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN



  • Hi together!

    Sorry for reactivating this topic, but actually I'm running in the same issue as ronicontora.
    I know this post is old, but I'm wondering a bit that this is still the case in the actual release.

    As far as I know there is no option in the BIND section to map a specific IP or Virtual IP for Zone transfers.
    It is possible to map an interface for incoming requests but it seems that it's still not using his own LAN interface to connect to other BIND servers.

    Is there still no possibility or am I totaly wrong?

    My setup is nearly the same as on the initial post, just with other network ranges which are connected over IPSEC tunnel.

    Sorry but my english is not the best atm.

    Thanks in advance for all hints.

    Best regards


Log in to reply