Site2site all traffic is ok except for http/https



  • hey you guys,

    i have an ipsec site2site vpn between two pfsense boxes. I created the firewall rules and i can reach all the devices in site B from site A and the other way around.

    The only problem is: i cannot manage device over http and https. So i cannot manage any accespoint from site A at site B.

    Can anyone help me with this problem?



  • Do you mean you can't access anything on ports 80 or 443 across the connection or that it's just the access points which aren't responding? Do you have any web servers at either end you can test with?



  • i have the same trouble.
    PfSense(192.168.106) - ipsec - D-link DFL 860 E(192.168.100)

    trying to open http web page of printer (192.168.100.52)  from PfSense Lan network(192.168.106.10).
    web page is loading… and nothing happends.

    all other traffic is ok ( RDP , smb Share, SIP )

    If  disable Firewall (System: Advanced: Firewall and NAT) , the page will open...

    Dropping rule: @5(1000000103) block drop in log inet all label "Default deny rule IPv4"










  • yes exaclty the same problem.

    no one has some ideas?



  • nobody?



  • Try to lower the ipsec Advance Setting

    "Enable MSS clamping on VPN traffic"

    Maybe that help's

    Do you have installed a add package ?

    regards

    max



  • It is so weird that you are having the same issue as me. Every other type of traffic is fine. I get an error page saying that it timed out after 60 seconds. I don't actually see anything in the firewall log. The IPSec log is saying that it is sending packets (no surprise there), but nothing too helpful.

    Does anyone have an idea on this?


  • Netgate

    My guess would be default gateways on the devices you cannot manage not being pointed at pfSense.

    Most dumb consumer routers don't support a default gateway when used as an AP connected to its LAN only, etc.

    But if you can ping 192.168.100.52 from the other side just not open its web interface, it's not routing.



  • @MaxHeadroom:

    Try to lower the ipsec Advance Setting

    "Enable MSS clamping on VPN traffic"

    Yes! It's work!
    Enabling this option without any parametr solved my problem
    Thanks!


  • Netgate

    So what does that do? Anyone? And what was the issue?



  • "Enable MSS clamping on VPN traffic" is for lowering the maximum payload in a tcp segment.

    In Ipsec a fragmented packet makes problems so you have to be shure that the  MTU size fits you internet connection.
    (Especial with pppoe  MTU size is lower there  )

    MSS -> Maximum Segment Size



  • @van1985:

    @MaxHeadroom:

    Try to lower the ipsec Advance Setting

    "Enable MSS clamping on VPN traffic"

    Yes! It's work!
    Enabling this option without any parametr solved my problem
    Thanks!

    I tried leaving it by the default settings and it did not solve my problem. Here's another weird thing, I have a synology NAS which I manage through its web interface at https://ipaddress:35909. I can access that from across the IPsec tunnel, but not plain Jane https. My remote site is using pfsense and on the LAN interface (where I am doing all the testing from). My rules allow the LAN to access anything and everything.

    Anybody know what might be my problem?

    Thanks!



  • Hi teladero

    Why not lowering the MSS ? what is your problem with the webgui ? Maybe the NAS Gui allow only acces from LAN

    If you want access the NAS over internet behind a pfsense  you have to  add a Firewall: NAT: Port Forward for the
    Nas

    Please be more clear with your request.

    regard max



  • fantastic, i also solved this by enabling the MSS clamping :)

    THX



  • @MaxHeadroom:

    Hi teladero

    Why not lowering the MSS ? what is your problem with the webgui ? Maybe the NAS Gui allow only acces from LAN

    If you want access the NAS over internet behind a pfsense  you have to  add a Firewall: NAT: Port Forward for the
    Nas

    Please be more clear with your request.

    regard max

    What should I lower it to?

    I have had a site to site VPN up before with two Meraki security appliance. It worked beautifully.

    I do not want my NAS to be accessible through port forwarding. Sorry I wasn't more clear.



  • @MaxHeadroom:

    Hi teladero

    Why not lowering the MSS ? what is your problem with the webgui ? Maybe the NAS Gui allow only acces from LAN

    If you want access the NAS over internet behind a pfsense  you have to  add a Firewall: NAT: Port Forward for the
    Nas

    Please be more clear with your request.

    regard max

    I noticed that the default size was 1400, so I tried 1300 and that did not work. Should I just go smaller? If so, am I slowing my connection to the remote network?

    Thanks for all your help.



  • No connection is not faster  ;D

    (I think the nas is blocking the ip…hard to guess)

    regards
    max



  • @MaxHeadroom:

    No connection is not faster  ;D

    (I think the nas is blocking the ip…hard to guess)

    regards
    max

    The NAS (or any other device on my remote network) is not blocking http or https traffic. It used to work fine when I was on a meraki site-to-site vpn. Nothing has changed here except going to pfsense at one location. I can ping, do samba shares, remote desktop, etc across the vpn, so I know it is established. I can try and add some rules on the pfsense box to allow http traffic explicitly over the vpn. I will post the results.



  • @MaxHeadroom:

    No connection is not faster  ;D

    (I think the nas is blocking the ip…hard to guess)

    regards
    max

    I can't believe it…I added a rule to allow any traffic to the remote network, and it worked! The most bizarre thing is that you can clearly see the  two rules below it, allowing IPv4 and IPv6 traffic sourced from the LAN to anywhere. No clue why this was necessary, but hopefully it will help someone else in my position.

    Thanks again MaxHeadroom!



  • Netgate

    That makes zero sense. What are the advanced characteristics on that second rule?



  • @Derelict:

    That makes zero sense. What are the advanced characteristics on that second rule?

    Makes zero sense to me as well. Here's what I have for advanced settings.



  • Netgate

    OK just limiters.

    I would disable the rule you added, turn logging on on the main pass rule, try to open connections across the VPN, and see what they logs say.

    Hmm. Limiters. I don't see anything that should do it but you might be hitting the 2.2.X limiter bug. Also disable the rule you added and try it without the limiters set.