Hello.
My issue with selective routing is accessing a specific public ip range (213.13.24.0/24) from an Openwrt Site "B" connected site-to-site through an OPNsense Site "A".
Configuring that subnet range on the Site "B" as "allowed ips" to the tunnel, so that Site "B" could access it through the Site "A", it isn't working as expected:
tracert 213.13.24.11
Tracing route to 213.13.24.11 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms OpenWRT.lan [192.168.0.1]
2 17 ms 14 ms 15 ms 10.0.0.1
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
The site "B" LAN range is 192.168.0.0/24 with tunnel IP 10.0.0.2/32, the Site "A" is 192.168.10.0/24 with tunnel IP 10.0.0.1/32, and the WG tunnel range is 10.0.0.0/24. Both sites are connected to the internet with public IP addresses on their WAN interfaces.
The OPNsense configuration is presented within the attachments bellow.
A half workaround on the site B is to enable masquerading to get selective routing, but blocks site A to access site B:
uci set firewall.lan.masq="1"
uci commit firewall
/etc/init.d/firewall restart
I'm hoping that someone could shed some light into this. :-)
Thanks.
Additionally, I manage to capture a traceroute from a client on the B site, to the IP range 213.13.24.0/24:
The solution was adding a NAT outbound rule such as the the one attached.
Source address is the IP LAN range from the site "B".