Text only | Text with Images

OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: bigfox on September 08, 2020, 04:18:28 PM

Title: [SOLVED] vpn access to intranet blocked by Default deny rule
Post by: bigfox on September 08, 2020, 04:18:28 PM
[SOLVED]
After checking, it was a routing issue that prevented access to the server.
The problem is not related to firewall rules.
go to 'Additional BOOTP/DHCP Options', use DHCP pushing a static route to solve the problem.

-----------------------------------------------------------
opnsense ip :192.168.1.1
my other gateway ip :192.168.1.2
mywebserver ip:192.168.1.61  gateway :192.168.1.2 dns:192.168.1.2
my mobile use openvpn,ip :10.0.8.6
I use 10.0.8.6 browse 192.168.1.61

I want to use vpn to access my webserver and can ping, but access to port 80 is blocked by the default rules. Normal access without VPN
I tried setting up a few firewall rules, but nothing worked.

thanks

log:LAN      Sep 8 20:51:52   192.168.1.2:80   10.0.8.6:44188   tcp   Default deny rule
Detailed rule information :
__timestamp__   Sep 8 20:14:14
ack   3652002442
action    [block]
anchorname   
datalen   695
dir    [in]
dst    10.0.8.6
dstport   41472
ecn   
id   32338
interface   bridge0
interface_name   LAN
ipflags   DF
label   Default deny rule
length   747
offset   0
proto   6
protoname   tcp
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
ridentifier   0
rulenr   16
seq   2918695121:2918695816
src    192.168.1.2
srcport   80
subrulenr   
tcpflags   PA
tcpopts   
tos   0x0
ttl   62
urp   506
version   4
Title: Re: vpn access to intranet blocked by Default deny rule
Post by: Fright on September 08, 2020, 05:23:15 PM
on 192.168.1.61 add static route to 10.0.8.0 through 192.168.1.1
Title: Re: vpn access to intranet blocked by Default deny rule
Post by: bigfox on September 09, 2020, 09:07:23 AM
Thank you ;D
I added the route and the server is accessible.
But can I change the settings in opnsense to fix the problem?
Title: Re: vpn access to intranet blocked by Default deny rule
Post by: banym on September 09, 2020, 09:10:26 AM
No, it is a problem with your network design.
Title: Re: vpn access to intranet blocked by Default deny rule
Post by: bigfox on September 09, 2020, 03:17:50 PM
Quote from: banym on September 09, 2020, 09:10:26 AM
No, it is a problem with your network design.
Yes, it is indeed a network design issue and there is a problem with the routing that has nothing to do with the firewall. Thanks.
Title: Re: [SOLVED] vpn access to intranet blocked by Default deny rule
Post by: banym on September 09, 2020, 03:51:16 PM
Well it is not a "problem" with the routing. It works as designed. Two gateways in one network will lead to this kind of problems. If the VPN gateway you are routing over is not the default gateway for the local machines they need static routes to find the way back.

You could work around with other types of VPN but if you're using VPN networks and tunnel networks you will face this kind of requirements.

Routing can easily become complicated with VPN and multiple routers.
Text only | Text with Images