Text only | Text with Images

OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: rrosson on March 20, 2022, 04:28:20 PM

Title: Site 2 Site route based (VTI) Netmask Issues
Post by: rrosson on March 20, 2022, 04:28:20 PM
In setting up multiple site 2 site route based VTI connections following https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html) I think I discovered a possible bug. Both sides are running OPNsense version 22.1.3.

I had two site 2 site VTI's configured and when adding a third I discovered that the net mask is not consistent.






My Side IPOther Side IPNetmaskDescription
10.111.1.110.111.1.230remote site 1
10.111.1.310.111.1.429remote site 2
10.111.1.510.111.1.630remote site 3

When I go to add 'remote site 3' it breaks site 2. To work around this I changed the second octet to 112 for site3 on both sides. This brings up the tunnel but the routing is only working to each of the firewalls. Neither side is able to get to the networks that they have routes.

Both sites have unique IP networks on each side and do not clash.

This appears to only reveal itself when doing more than two site 2 site route based IPsec VPN.

Any ideas?

TIA
-Ron
Title: Re: Site 2 Site route based (VTI) Netmask Issues
Post by: franco on March 21, 2022, 07:49:13 AM
Hi Ron,

Your /29 subnet overlaps with both /30, easy to check with https://jodies.de/ipcalc


Cheers,
Franco
Title: Re: Site 2 Site route based (VTI) Netmask Issues
Post by: rrosson on March 21, 2022, 01:58:02 PM
@Franco I am totally aware but I can not find a way or a place to set the netmask when doing a Site route based (VTI) VPN. I even double checked the docs to make sure I did not miss anything before writing this reply.

TIA,
Ron
Title: Re: Site 2 Site route based (VTI) Netmask Issues
Post by: franco on March 21, 2022, 02:02:28 PM
Hi Ron,

It's calculated from the smallest possible subnet that can hold these IPs:

https://github.com/opnsense/core/commit/9e44d9a1a92

The issue is that the IPs 10.111.1.3 - 10.111.1.4 are not spread out so that they bleed into the other subnets A and C. If you use the following it should work:

10.111.1.9   10.111.1.10   (30)   remote site 2


Cheers,
Franco
Title: Re: Site 2 Site route based (VTI) Netmask Issues
Post by: rrosson on March 21, 2022, 02:32:21 PM
@Franco. I see that but why did the first vpn set a /30 the second vpn set a /29 and when trying to add a third vpn it sets a /30 that conflicts with the second vpn. When doing a VPN like this why would you need something bigger than a /30?

TIA,
Ron
Title: Re: Site 2 Site route based (VTI) Netmask Issues
Post by: franco on March 21, 2022, 02:40:42 PM
Hi Ron,

Because CIDR networks are not "sliding" windows you get slots of subnets to fit in so both 10.111.1.3 and 10.111.1.4 belong to different /30 subnets...

Network:   10.111.1.0/30         00001010.01101111.00000001.000000 00 (Class A)
Broadcast: 10.111.1.3            00001010.01101111.00000001.000000 11
HostMin:   10.111.1.1            00001010.01101111.00000001.000000 01
HostMax:   10.111.1.2            00001010.01101111.00000001.000000 10

Network:   10.111.1.4/30         00001010.01101111.00000001.000001 00 (Class A)
Broadcast: 10.111.1.7            00001010.01101111.00000001.000001 11
HostMin:   10.111.1.5            00001010.01101111.00000001.000001 01
HostMax:   10.111.1.6            00001010.01101111.00000001.000001 10


Cheers,
Franco
Title: Re: Site 2 Site route based (VTI) Netmask Issues
Post by: rrosson on March 22, 2022, 02:18:12 PM
Thanks Franco for showing me what I was doing wrong. 


Ron
Text only | Text with Images