Hi,
I have a weird behaviour somehow related to source NAT an route-based IPsec tunnels:
Networks A and B are behind an OPNsense Box (22.1) and should access to resources through a Tunnel.
Network B should be NATted as Network A for this. The NAT itself works.
- I can see the packets leaving through ipsec<X>
- I can see that the source has been correctly replaced with an address from Network A
- Packets really originating from Network A reach the other side
- when I try to generate traffic on the firewall itself (*), i get sendto: Permission denied
errors - when I temporarily pfctl -d packets reach the other side
- when I remove the outgoing NAT rule, packets reach the other side, with the undesired source addess
I can't see anything related in pflog, even if I enable logging in the 'permit' rule.
How do I figure out what causes the 'permission denied'? IDS/IPS is disabled.
Thanks a lot,
Frank
(*) either using ping -S Network-A-Addres, or using nc -vz -s
Firewall : Settings : Advanced : Disable Force Gateway ticked?
Hello,
yes I tried both with and without this option.
Any other ideas?
Thanks,
Hm, I always was under the impression that SNAT doesn't work with route-based tunnels .. was this also working with 21.7?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
Hi,
no this didn't work with earlier releases AFAIK.
I remember trying to to SNAT before route-based IPSec before on a different site, but I ended up with a different solution as I couldn't get it to work.
Quote from: mimugmail on February 17, 2022, 02:48:25 PM
Hm, I always was under the impression that SNAT doesn't work with route-based tunnels .. was this also working with 21.7?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
Hi Michael,
does this make sense:
sysctl net.enc.out.ipsec_filter_mask=0
sysctl net.enc.in.ipsec_filter_mask=0
sysctl net.enc.out.ipsec_bpf_mask=0
sysctl net.enc.in.ipsec_bpf_mask=0
sysctl net.inet.ipsec.filtertunnel=1
sysctl net.inet.ipsec6.filtertunnel=1
(found here https://www.reddit.com/r/OPNsenseFirewall/comments/ts86eh/ipsec_gateway_as_upstream_gateway/ (https://www.reddit.com/r/OPNsenseFirewall/comments/ts86eh/ipsec_gateway_as_upstream_gateway/) )
I wrote about these values in the official FreeBSD bugtracker issue and was warned that when you mix routebased and legacy, one of them will break :/
Quote from: GaardenZwerch on February 16, 2022, 11:49:24 AM
Hi,
I have a weird behaviour somehow related to source NAT an route-based IPsec tunnels:
..
Maybe a block/reject rule at last position with Direction=out?
Hi,
Did you ever solve the problem? I had the same problem after I have added some new firewall rules, that ping to an external ip address like 8.8.8.8 did not work any more, i.e. I got also "sendto: Permission denied"
Solution: I have just rebooted OpnSense and the problem has vanished.
I have noticed, that the firewall of OpnSense does sometimes not work properly anymore after having done some (more than 5) changes to the firewall rules. A reboot always helps.
Andreas
Next time try to clear the firewall states instead of rebooting.