pfSense – Continuing to Break my brain

pfSense – Continuing to Break my brain

During the fun of building out another virtual environment to act as another remote site I realised that traffic was no longer flowing over my IPSec VPN once I set it up.

The initial issue was due to a mismatch between the configurations on my two pfSense firewalls which was quickly resolved and the tunnel came up after that. Once it was up though I realised that nothing was flowing over the VPN.

As I’d set the new pfSense firewall up with the same restricted ruleset I was pretty sure that it was going to be rule related but even enabling logging for all my default block all rules didn’t show what was going on.

So to troubleshoot it I span up my secondary environment again and did some checking on there. The first thing it ruled out was the difference in pfSense versions as both the second and third sites are both running v2.4.5 whereas the main environment is running v2.3.4.

Checking the traffic on the rules for each environment showed that whereas my main site wasn’t showing any traffic through the IPSec rules, my secondary site was. Things like the WSUS rule was generating a large amount of traffic and I could get across to the shares too which are allowed. From the main site though things like RDP or SSH weren’t working.

The next step was to add specific block all rules with logging enabled for the subnets at each end and then test things from the main site to see what cropped up. Sure enough, as soon as I tried to RDP it logged a block but not where I expected it at all !

I turns that out that the traffic was being blocked leaving my infrastructure VLAN so wasn’t even getting to the VPN to fail there, hence why I saw no blocks for that interface in the logs.

So what did I learn from this ?

The first thing was that as soon as you take away those magic permit any/any rules on pfSense that you have to treat the traffic going to the IPSec VPN the same way as between any other VLANs. I know it’s a basic principle which I’ve also had to remediate first hand on client site when before go-live the network engineer removed all the permit any/any rules, but I’ve never really been involved in the WAN network setup side of things before.

The second thing is to adopt the same methods I use in consultancy and methodically test everything after a major change or upgrade.

The third and final thing I learnt was that maybe my home lab is getting a little complicated !

To break my brain further during these unprecedented times I’m going to slide a WAN emulator in the mix too ! If I get the time after that then I might even look at popping a couple of Citrix SD-WANs in the mix to learn about those.

Leave a Reply

Your email address will not be published.