OPNsense Forum
English Forums => Virtual private networks => Topic started by: johannes214 on August 11, 2023, 10:57:40 am
-
Hi,
I've setup a tunnel from an old raspberry Pi to my opnsense firewall and want to connect both local subnets through this tunnel. The best solution would be a site-to-site connection between the two routers. Sadly this is not possible due to one of the boxes is "managed by the ISP" with very limited customization options.
For an overview of the network topology please see the attachment.
Additional information:
- clientA1 and routerB are connected through a wiregard tunnel
- routerA is Fritzbox
- routerB is my opnsense box
I'm able to ping the following hosts:
from clientB1: ping 192.168.2.142; ping 10.10.10.3
from clientA1: ping 192.168.15.1; ping 10.10.10.1; ping 192.168.15.100
My goal is to establish a connection from clientB1 to clientA2 (later on I want to extend this to open a connection in the reversed direction).
For clientA1 I enabled routing:
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
and added two rules:
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i wg0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Unfortunately this setup is not complete yet?!? Tracing the route from routerB to routerA ends at 10.10.10.3:
traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 40 byte packets
1 10.10.10.3 (10.10.10.3) 83.402 ms 82.809 ms 57.917 ms
2 * * *
Could you give me a hint what pieces are missing?
Regards
Johannes
-
Router A and client A2 don't know that 192.168.15.0/24 and 10.10.10.0/24 are reachable via client A1 (192.168.2.142). You need to create static routes on router A, or if that's not possible (because crappy CPE), directly on client A2.
Cheers
Maurice
-
Hi Maurice,
thanks for your response. Ok will add these routes in routerA.
But I'm a little bit confused. Shouldn't I already be able to ping routerA from routerB? All neccesary routes should be available.
Routes on routerB:
netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 178.200.132.1 UGS igc0
10.10.10.0/24 link#10 U wg1
10.10.10.1 link#10 UHS lo0
192.168.2.0/24 link#10 US wg1
Routes on clientA1:
ip r
default via 192.168.2.1 dev eth0 proto dhcp src 192.168.2.142 metric 202
10.10.10.0/24 dev wg0 proto kernel scope link src 10.10.10.3
192.168.2.0/24 dev eth0 proto dhcp scope link src 192.168.2.142 metric 202
192.168.15.0/24 dev wg0 scope link
Johannes
-
But I'm a little bit confused. Shouldn't I already be able to ping routerA from routerB? All neccesary routes should be available.
Router B and client A1 do have all the required routes, but router A doesn't. It doesn't know that 192.168.2.142 is the gateway for 192.168.15.0/24 and 10.10.10.0/24. So the ping (echo request) will reach router A, but it doesn't know that it should send the reply to 192.168.2.142. So the reply doesn't reach router B and the ping fails.
-
Perfekt that did the trick ;)