[pfSense Support] advanced outbound nat interfering with ipsec tunnel?

[[EMAIL PROTECTED]]

Hi,

I just updated to latest releng_1 and it still has this same problem.

I have a carp+dual wan setup and I'm trying to get outbound load balancing
to work, but when I make changes to the advanced outbound nat rules to work
towards getting load balancing to work, it causes my ipsec tunnel to stop
getting packets. What I mean by that is that the ipsec tunnel still
extablishes, but traceroutes to the tunnel return addresses on the public
internet ( whereas they didn't with the previous outbound nat setting - and
when ipsec was actually working ).

Without further ado, here's what I changed the outbound nat rules to that
caused it to stop working:

iface: WAN2
src: 192.168.0.0/24
src port: *
dst: ! 192.168.0.0/24
dst port: *
nat addr: * ( no carp on WAN2 unfortunately )
nat port: *
static port: no

iface: WAN
src: 192.168.0.0/24
src port: *
dst: ! 192.168.0.0/24
dst port: *
nat addr: x.x.218.245 ( my public wan carp ip )
nat port: *
static port: no

I don't have enough public ip's on WAN2 to carp it, however the ipsec
tunnel is currently using WAN2's connection ( it's the only ip my client's
router - the other end of the tunnel - is configured to accept )

The LAN firewall rule allowing outbound traffic is:

iface: lan
proto: *
source: lan net
port: *
dest: *
dest port: *
gateway: x.x.231.154 ( WAN2's gateway - WAN's isp was having trouble
yesterday )

I have just restored my router configuration (again) and my ipsec tunnel is
working again. Here are the adv outbound nat rules that allow the tunnel to
work:

iface: WAN2
src: 192.168.0.96/31
src port: *
dst: *
dst port: *
nat addr: * ( no carp on WAN2 unfortunately )
nat port: *
static port: no

iface: WAN
src: 192.168.0.0/24
src port: *
dst: *
dst port: *
nat addr: x.x.218.245 ( my public wan carp ip )
nat port: *
static port: no

I was told that in order for outbound load balancing to work correctly
especially in combination with carp, you have to create two outbound nat
rules, one for each wan. However, when I try to do this, it causes my vpn
traffic to not get caught by the ipsec tunnel and is instead getting sent
to the unencrypted internet ( as evidence by my tracert's ). What am I
doing wrong, or have I possibly discovered a bug.

Please advise, thank you.




mail2web - Check your email from the web at
http://mail2web.com/ .



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] advanced outbound nat interfering with ipsec tunnel?

[Bill Marquette]

I answered this in another thread ([pfSense Support] pfsense beta-4
multiple ipsec clients from lan to wan) less than two hours ago.

--Bill

On 6/9/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

Hi,

I just updated to latest releng_1 and it still has this same problem.

I have a carp+dual wan setup and I'm trying to get outbound load balancing
to work, but when I make changes to the advanced outbound nat rules to work
towards getting load balancing to work, it causes my ipsec tunnel to stop
getting packets. What I mean by that is that the ipsec tunnel still
extablishes, but traceroutes to the tunnel return addresses on the public
internet ( whereas they didn't with the previous outbound nat setting - and
when ipsec was actually working ).

Without further ado, here's what I changed the outbound nat rules to that
caused it to stop working:

iface: WAN2
src: 192.168.0.0/24
src port: *
dst: ! 192.168.0.0/24
dst port: *
nat addr: * ( no carp on WAN2 unfortunately )
nat port: *
static port: no

iface: WAN
src: 192.168.0.0/24
src port: *
dst: ! 192.168.0.0/24
dst port: *
nat addr: x.x.218.245 ( my public wan carp ip )
nat port: *
static port: no

I don't have enough public ip's on WAN2 to carp it, however the ipsec
tunnel is currently using WAN2's connection ( it's the only ip my client's
router - the other end of the tunnel - is configured to accept )

The LAN firewall rule allowing outbound traffic is:

iface: lan
proto: *
source: lan net
port: *
dest: *
dest port: *
gateway: x.x.231.154 ( WAN2's gateway - WAN's isp was having trouble
yesterday )

I have just restored my router configuration (again) and my ipsec tunnel is
working again. Here are the adv outbound nat rules that allow the tunnel to
work:

iface: WAN2
src: 192.168.0.96/31
src port: *
dst: *
dst port: *
nat addr: * ( no carp on WAN2 unfortunately )
nat port: *
static port: no

iface: WAN
src: 192.168.0.0/24
src port: *
dst: *
dst port: *
nat addr: x.x.218.245 ( my public wan carp ip )
nat port: *
static port: no

I was told that in order for outbound load balancing to work correctly
especially in combination with carp, you have to create two outbound nat
rules, one for each wan. However, when I try to do this, it causes my vpn
traffic to not get caught by the ipsec tunnel and is instead getting sent
to the unencrypted internet ( as evidence by my tracert's ). What am I
doing wrong, or have I possibly discovered a bug.

Please advise, thank you.




mail2web - Check your email from the web at
http://mail2web.com/ .



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]