Print Page - Mysterious "sendto: Permission denied"

Title: Mysterious "sendto: Permission denied"
Post by: GaardenZwerch on February 16, 2022, 11:49:24 AM

Hi,
I have a weird behaviour somehow related to source NAT an route-based IPsec tunnels:

Networks A and B are behind an OPNsense Box (22.1) and should access to resources through a Tunnel.

Network B should be NATted as Network A for this. The NAT itself works.

I can see the packets leaving through ipsec<X>
I can see that the source has been correctly replaced with an address from Network A
Packets really originating from Network A reach the other side
when I try to generate traffic on the firewall itself (*), i get sendto: Permission denied
errors
when I temporarily pfctl -d packets reach the other side
when I remove the outgoing NAT rule, packets reach the other side, with the undesired source addess

I can't see anything related in pflog, even if I enable logging in the 'permit' rule.

How do I figure out what causes the 'permission denied'? IDS/IPS is disabled.

Thanks a lot,
Frank

(*) either using ping -S Network-A-Addres, or using nc -vz -s

Title: Re: Mysterious "sendto: Permission denied"
Post by: mimugmail on February 16, 2022, 05:51:23 PM

Firewall : Settings : Advanced : Disable Force Gateway ticked?

Title: Re: Mysterious "sendto: Permission denied"
Post by: GaardenZwerch on February 17, 2022, 02:22:51 PM

Hello,
yes I tried both with and without this option.
Any other ideas?
Thanks,

Title: Re: Mysterious "sendto: Permission denied"
Post by: mimugmail on February 17, 2022, 02:48:25 PM

Hm, I always was under the impression that SNAT doesn't work with route-based tunnels .. was this also working with 21.7?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474

Title: Re: Mysterious "sendto: Permission denied"
Post by: GaardenZwerch on February 22, 2022, 01:14:07 PM

Hi,
no this didn't work with earlier releases AFAIK.
I remember trying to to SNAT before route-based IPSec before on a different site, but I ended up with a different solution as I couldn't get it to work.

Title: Re: Mysterious "sendto: Permission denied"
Post by: GaardenZwerch on March 31, 2022, 01:06:29 PM

Quote from: mimugmail on February 17, 2022, 02:48:25 PM
Hm, I always was under the impression that SNAT doesn't work with route-based tunnels .. was this also working with 21.7?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474

Hi Michael,
does this make sense:

Code Select


sysctl net.enc.out.ipsec_filter_mask=0
sysctl net.enc.in.ipsec_filter_mask=0
sysctl net.enc.out.ipsec_bpf_mask=0
sysctl net.enc.in.ipsec_bpf_mask=0
sysctl net.inet.ipsec.filtertunnel=1
sysctl net.inet.ipsec6.filtertunnel=1

(found here https://www.reddit.com/r/OPNsenseFirewall/comments/ts86eh/ipsec_gateway_as_upstream_gateway/ (https://www.reddit.com/r/OPNsenseFirewall/comments/ts86eh/ipsec_gateway_as_upstream_gateway/) )

Title: Re: Mysterious "sendto: Permission denied"
Post by: mimugmail on April 01, 2022, 07:07:38 AM

I wrote about these values in the official FreeBSD bugtracker issue and was warned that when you mix routebased and legacy, one of them will break :/

Title: Re: Mysterious "sendto: Permission denied"
Post by: Sieg on April 13, 2024, 11:46:18 PM

Quote from: GaardenZwerch on February 16, 2022, 11:49:24 AM
Hi,
I have a weird behaviour somehow related to source NAT an route-based IPsec tunnels:
..

Maybe a block/reject rule at last position with Direction=out?

OPNsense Forum

English Forums => General Discussion => Topic started by: GaardenZwerch on February 16, 2022, 11:49:24 AM