Hi
OPNsense default deny rule in "floating" intercepts traffic from IPsec VPN to a network connected directly to OPNsense, there are at least 2 rules which should ensure traffic passing.
I've got a rule for that specific traffic in IPsec (dns and http/s) and added another one allowing all traffic from IPsec to everything in floating.
...any ideas ?
btw. I do have own Deny ALL rules on every interface but this never hit by the IPsec traffic - it goes straight to the floating default deny all rule.
After some more investigation:
IPsec traffic is blocked only if I select the predefined "IPsec net" as source, if I however create an alias with the IPsec network address and use that as the source the traffic is going thru - however responses are then being blocked (as I see it responses are not seen as responses by the firewall but as new connections).
The firewall has several interfaces and all traffic is going as it should - only IPsec has problems.
...and something more:
responses to IPsec traffic are logged several seconds after request leaves the firewall on the correct interface.
I have tried to change IP-address of the VPN just to verify that I don't have a routing issue, I have no problems with traffic between any other interfaces so and the firewall is default gw. on all connected interfaces.