Last night, we upgrade from 21.7.8 to 22.1.8, Windows File sharing across IPsec VPN is not working. Using Microsoft diagnostic it said server is listening but not responding. Now, our work around is to create a rule on LAN to allow LANnet (172.16.33.x) to access File Server on remote site (10.3.32.x) on Firewall Server (172.16.33.x network).
Prior upgrade, every thing is working fine. No change to firewall on both sites. Both sites are using Opnsense 22.1.8. Any idea what might have cause this?
Regards,
Somnuk
In the 22.1.8 Changelog the only things about the Firewall I could find is this:
- firewall: various usability and visibility improvements for aliases
- firewall: performance improvement for large numbers of port type aliases
- firewall: simplify sort and add natural sorting in alias diagnostics
I suppose your Network looks something like this?
[SMB Clients] <-- 172.16.33.x --> [OPNsense 1] <-- IPSec (WAN) --> [OPNsense 2] <-- 10.3.32.x --> [SMB Server]Can you show how your Firewall Rules Look like? And do you have multiple Gateways?
I haven't used IPSec with OPNsense yet, only with OpenVPN and WireGuard, but from the other recent Posts, it seems like there might be issues with both IPSec and Aliases in 22.1.8.
We created an alias SMB_Ports 137:139;445. This SMB_Ports alias uses on the WAN Rules that block incoming traffic from WAN and also on LAN rules to WAN Net. For IPsec rules, allow any to any no blocking. I have tried disables all these rules, but the problem persist. Client cannot access SMB shares on remote sites.
Regardds,
Somnuk
On the Source Firewall, I disable any relate to SMB ports but the error still show below.
LAN 2022-05-28T10:50:05 172.16.33.84:55654 10.3.32.12:139 tcp Default deny / state violation rule
LAN 2022-05-28T10:50:04 172.16.33.84:55654 10.3.32.12:139 tcp Default deny / state violation rule
LAN 2022-05-28T10:50:04 172.16.33.84:55653 10.3.32.12:445 tcp Default deny / state violation rule
LAN 2022-05-28T10:50:03 172.16.33.84:55653 10.3.32.12:445 tcp Default deny / state violation rule
So, I create a rule to allow LAN Net to access remote Network now traffic go through and the log look like below. Since I use IPsec Tunneling, it should look at IPsec Rule in the first place but while it looks in LAN Rule first. Is my understanding correct? Old version of OpnSense has no problem, problem occur in 22.1.8.
IPsec 2022-05-28T10:58:32 172.16.33.84:55718 10.3.32.12:445 tcp IPsec internal host to host
IPsec 2022-05-28T10:58:32 172.16.33.84:55716 10.3.32.12:445 tcp IPsec internal host to host
IPsec 2022-05-28T10:58:30 172.16.33.84:55694 10.3.32.30:445 tcp IPsec internal host to host
Regards,
Somnuk
Are you really talking about 22.1.8 or 22.1.8_1? 22.1.8 has a known problem with network aliases which might account for all your described problems.
I have a similar problem with 22.1.8_1 but it is not permanent. my smb shares are working most of the time, but sometimes they stopped working over ipsec tunnel while still pinging ok. after some time it will work again