Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

site to site vpn connection to on premise network - pfsense firewall - cannot communicate beyond firewall subnet/vlan

0

I setup a site to site vpn to my on premise network. We are using a pfsense firewall at our on premise data center. The vpn connection is up and I can ping devices on the firewall's vlan/subnet from an ec2 instance, but I cannot communicate with anything outside of that vlan. Do I need to set up any routes to the other vlans in my network and if so, where? Any thoughts would be appreciated.

Topics
Networking & Content Delivery
Tags
Amazon VPCAWS Transit GatewayNetworking & Content Delivery
Language
English
asked 10 months ago305 views
3 Answers
0

Yes, you will need to ensure that routes exist in your VPC route table (or TGW route table). Routes on your firewall device to these other subnets also need to be present. Static routing and dynamic routing with BGP are supported LINK.

AWS
EXPERT
answered 10 months ago
  • iamcx
    10 months ago

    Thank you for your answer. I am still having trouble and wondering if you might have some additional direction for me. I am not a network expert by any means so forgive my stupidity if any of this seems elementary to you. The CIDR of our VPC is 12.0.0.0/16 and the internal subnet of our on premise firewall is 192.168.2.0. The firewall has a default gateway of 192.168.2.1 which routes all traffic to the other VLANs on our network. With my limited knowledge, I was just assuming that IPSEC traffic from the VPN would use this default gateway like everything else. Adding 192.168.2.0/24 as a static route to the AWS VPN allows communication from my EC2 instance to anything on the 192.168.2.0 network, but it cannot talk to any of our other networks. Would you know how I can get traffic from the VPN to pass through the firewall's default gateway to get to other networks (192.168.3.0, 192.168.4.0, etc.) Any tips would really be appreciated. Thanks again.

0

This is a common issue with site-to-site VPN connections, and it sounds like you're experiencing a routing problem beyond the firewall's immediate subnet. Here are some steps you can take to resolve this issue:

  1. Check AWS Route Tables: Ensure that your VPC route table has routes for all the on-premises networks you want to reach, not just the firewall's subnet. These routes should point to the Virtual Private Gateway (VGW) or Transit Gateway, depending on your setup.

  2. Configure pfSense Routing: On your pfSense firewall, you need to set up routes for the AWS VPC CIDR range to be sent through the VPN interface. This allows pfSense to know where to send traffic destined for your AWS resources.

  3. Enable Routing on pfSense: Make sure pfSense is configured to route traffic between its interfaces. This is typically done by enabling the "gateway" or "routing" feature for the relevant interfaces.

  4. Firewall Rules: Check your pfSense firewall rules to ensure they allow traffic from the AWS VPC to pass through to other internal networks. You may need to add rules that explicitly allow this traffic.

  5. NAT Configuration: If you're using NAT on pfSense, ensure it's configured correctly to handle traffic between AWS and your internal networks.

  6. BGP Configuration (if applicable): If you're using dynamic routing with BGP, make sure pfSense is correctly advertising all your internal network routes to AWS.

  7. VPN Configuration: Double-check your VPN configuration on both the AWS and pfSense sides. Ensure that the traffic selectors or encryption domains include all the necessary subnets, not just the firewall's immediate network.

  8. Intermediate Firewalls or Routers: If there are any firewalls or routers between your pfSense and the other VLANs, make sure they're configured to allow and route the traffic from AWS.

By addressing these points, you should be able to establish communication beyond the firewall's immediate subnet. Remember to test thoroughly after making changes, and consider using tools like traceroute to identify where exactly the traffic is being stopped.

Sources
Route Egress Traffic through NAT Gateway to VPN Gateway | AWS re:Post
IP Sec site to site Tunnel instability | AWS re:Post
Impossible to ping from AWS to On-Premise Server with site-to-site AWS vpn | AWS re:Post

answered 10 months ago
0

Hi, iamcx.

To answer more accurately your question we need more infos.

In your On Prem: You told that your firewall's VLAN is 192.168.2.0, right? Is your firewall also the gateway to the other VLANs? If not, are you pointing a route to the AWS CIDR (12.0.0.0/16) to the firewall on your on prem? Do you have all the internal subnets, or a aggregate of them, allowed in your pfSense VPN configuration[1]? Can you check the firewall rules in both directions? Have you tried to troubleshoot via tcpdump to see if the traffic gets to the interface?

In AWS: Did you added the On Prem routes on the Site-to-Site VPN configuration? Do you have the other VLANs CIDRs(192.168.3.0/24, 192.168.4.0/24) pointing to the VPN Virtual Private Gateway in the VPC/subnets route tables? Do you have any Network Access List blocking outbound traffic?

** IMPORTANT In AWS you are using a non RFC 1918 CIDR block. The importance of using RFC 1918 blocks is that this blocks are not routed through internet and when you use a valid public IP (12.0.0.0/16) you may have problems to access any service that uses any IP in this range. You can check here that this 12.0.0.0/16 block belong to AT&T [2]. You may add a secondary block to your existent VPC but in your case you can only add a block from the 100.64.0.0/10 range [3].

[1] - https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure-p2.html#networks [2] - https://search.arin.net/rdap/?query=12.0.0.0%2F16 [3] - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html#add-cidr-block-restrictions

AWS
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content