Hello everyone,
First of all, please note that I have already posted the question below
on the pfSense forum (see
https://forum.pfsense.org/index.php?topic=79081.0) since about 1 week
without any reply.
Given the urgency of the matter, I decided to post to the mailing list,
hoping for some here.
BTW: I don't know if this will be of any help to obtain a reply, please
note that I have a Gold membership subscription as well.
So, regarding my question, I'll copy/paste from the forum as follows:
I have 2 pfSense boxes (both version 2.1.4) connected via the Internet.
Each one has 3 interfaces: LAN, WAN & OPT1.
There is an IPsec VPN between the 2 pfSense boxes.
A WAN optimisation (we'll call it WANOPT) appliance is connected to the
OPT1 interface on each side.
There is a UDP tunnel between the 2 WANOPT appliances. This UDP tunnel
goes inside the IPsec tunnel.
I use PBR (as a LAN rule) to redirect traffic going to the remote LAN
into the WANOPT appliance.
This is what I've observed after starting to ping a remote LAN machine
from a local LAN machine:
1. On reaching the local LAN interface, the ICMP echo request is
properly redirected to the WANOPT appliance.
2. The ICMP request then goes inside the UDP tunnel.
3. The UDP packets go into the IPsec tunnel.
4. On the remote side, a tcpdump shows that the ICMP packet does come
out of the WANOPT appliance and therefore the UDP tunnel.
5. It then reaches the OPT1 interface of the remote firewall.
6. However, it does NOT come out any interface!!!
7. I have an "Allow all protocols from any to any" rule on both the
IPsec and OPT1 interfaces, for testing purposes.
8. There's nothing in the log saying that the packet was dropped. In
fact, there's a log entry which says that the packet was actually
allowed into the OPT1 interface!
What has happened to the packet?
NB:
1. On the remote side, when the ICMP packet comes out of the UDP tunnel,
its source IP is that of the local LAN machine and its destination is
that of the remote LAN machine.
2. Is this packet being considered a spoofed packet?
I modified the file /etc/inc/filter.inc (around line 3105 in pfSense
2.1.4) to disable antispoofing on the OPT1 interface and rebooted both
firewalls without any success.
I confirmed that the file /tmp/rules.debug did not contain the antispoof
directive for the OPT1 interface after reboot.
RFC 1918 private IP addresses are not being blocked either.
Thank you for any help.
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
