I answered this in another thread ([pfSense Support] pfsense beta-4 multiple ipsec clients from lan to wan) less than two hours ago.
--Bill On 6/9/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hi, I just updated to latest releng_1 and it still has this same problem. I have a carp+dual wan setup and I'm trying to get outbound load balancing to work, but when I make changes to the advanced outbound nat rules to work towards getting load balancing to work, it causes my ipsec tunnel to stop getting packets. What I mean by that is that the ipsec tunnel still extablishes, but traceroutes to the tunnel return addresses on the public internet ( whereas they didn't with the previous outbound nat setting - and when ipsec was actually working ). Without further ado, here's what I changed the outbound nat rules to that caused it to stop working: iface: WAN2 src: 192.168.0.0/24 src port: * dst: ! 192.168.0.0/24 dst port: * nat addr: * ( no carp on WAN2 unfortunately ) nat port: * static port: no iface: WAN src: 192.168.0.0/24 src port: * dst: ! 192.168.0.0/24 dst port: * nat addr: x.x.218.245 ( my public wan carp ip ) nat port: * static port: no I don't have enough public ip's on WAN2 to carp it, however the ipsec tunnel is currently using WAN2's connection ( it's the only ip my client's router - the other end of the tunnel - is configured to accept ) The LAN firewall rule allowing outbound traffic is: iface: lan proto: * source: lan net port: * dest: * dest port: * gateway: x.x.231.154 ( WAN2's gateway - WAN's isp was having trouble yesterday ) I have just restored my router configuration (again) and my ipsec tunnel is working again. Here are the adv outbound nat rules that allow the tunnel to work: iface: WAN2 src: 192.168.0.96/31 src port: * dst: * dst port: * nat addr: * ( no carp on WAN2 unfortunately ) nat port: * static port: no iface: WAN src: 192.168.0.0/24 src port: * dst: * dst port: * nat addr: x.x.218.245 ( my public wan carp ip ) nat port: * static port: no I was told that in order for outbound load balancing to work correctly especially in combination with carp, you have to create two outbound nat rules, one for each wan. However, when I try to do this, it causes my vpn traffic to not get "caught" by the ipsec tunnel and is instead getting sent to the unencrypted internet ( as evidence by my tracert's ). What am I doing wrong, or have I possibly discovered a bug. Please advise, thank you. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]