pfSense

Chris Buechler wrote:

Hi Remko,
This seems like a duplicate of #1136, is the VPN in this case reachable via a static route?

Hi Chris,

Yes when we add a static route we can communicate with the VPN. It gets overwritten by pf's route-to/reply-to statements (and the default pass out reply-to statement earlier in the code, before the VPN configuration is loaded into the pf.conf).
hacking out the 'incorrect' settings (for us they are incorrect) still gets the vpn route added (as host route instead of /32 network route) because that is how it is configured within the system.

So there are multiple points that kills this for us...

If needed I can post some configuration examples (with stripping out the public info).

Remko Lodder wrote:

We have setup a new pfSense box that will route our VPN traffic between endpoints.
That goes out on our WAN interface which has a default GW assigned.

However, we use a different gateway for our VPN traffic. Setting this gateway does not result in the firewall using the alternative gateway, it is set by static configurations in inc/filter.inc:

3516 #$ipfrules .= "pass out {$log['pass']} route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} tracker {$increment_tracker($tracker)} keep state allow-opts label
\"let out anything from firewall host itself\"\n";

the same goes for defined IPSEC traffic:

4127 $route_to = " route-to ( $interface $gateway ) ";
4128 $reply_to = " reply-to ( $interface $gateway ) ";

4136 $route_to = " route-to ( $interface $gateway ) ";
4137 $reply_to = " reply-to ( $interface $gateway ) ";

where we have replaced this $gateway with our external address to bypass the traffic.

Also hashing out line 3516 makes it at least possible to ping the host.

Next to that I noticed that a reguliar host entry is created for the external IP address that has an static entry pointing towards the default gateway instead of the alternative gateway. (there is an /32 also installed for the static entry that we created).

schemantic of what we want:

AP --> IPSEC Tunnel to pfSense --> pfSense box over alternative GW then the default on the WAN
^{^ WAN Interface ^}

If you need additional help/info please let me know then I will try to deliver it.

Same issue as described here : https://redmine.pfsense.org/issues/7033
A solution would be appreciated :-)

Jim Pingle wrote:

Duplicate of #1136

Note sure it is really a duplicate. And the #1136 is very old (and seems not fixed). Could it be analysed by a developper ?

Thanks !

We have, it is.

Jim Pingle wrote:

We have, it is.

OK so what would be the solution? Because using floating rules has no effect.. And what is the goal of that rule (let out anything from firewall host itself) ?

Thanks!

This is a bug reporting system, not a support or discussion platform. Please post on the forum or via some other support channel for assistance.

Jim Pingle wrote:

This is a bug reporting system, not a support or discussion platform. Please post on the forum or via some other support channel for assistance.

A topic is opened here https://forum.pfsense.org/index.php?topic=122206.0 but still no solution...

If here, in the bugtracker, we find floating rules should solve the problem, but in facts do not solve it.. It should be ok to post there, no ?
It really seems to be a bug and not bad configuration. If you think you know why we are facing to this behavior and even if this is not a support plateform, it would be much appreciated you give the solution (and maybe close that bugs).. :-)

That doesn't change the situation. You're posting on closed duplicate tickets and the floating rules do solve the problem when made correctly. The forum is the only place this should be discussed. Again, this is not for discussion.

Jim Pingle wrote:

That doesn't change the situation. You're posting on closed duplicate tickets and the floating rules do solve the problem when made correctly. The forum is the only place this should be discussed. Again, this is not for discussion.

I understand but, even if this is not for discussion, it is really difficult to explains what you mean by "when made correctly" ? Everyone would be happy and all other users watching this page will find the solution and we will avoid unuseful replies :-) Or maybe if you have one minute you could reply to this post https://forum.pfsense.org/index.php?topic=122206.0 ?

Again, thank you for advance :-)