I have a weird issue. I push a route 192.168.4.0/24 to the client. At the client, route shows the following correctly:
root@237:/etc/openvpn# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway.xx. 0.0.0.0 UG 0 0 0 eth0
xx.xx.232.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0
192.168.4.0 192.168.25.1 255.255.255.0 UG 0 0 0 tun0
192.168.25.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
However, I cannot access any machine on 192.168.4.xx. Sporadically, after reboot of firewall or the client side, a connection is possible. Further, in case I add further routes to other subnets of the firewall, these work immediately.
In the firewall log I see the connection incoming. It seems to be routed to the correct interface. But then no response.
Does anyone have an idea how the track the problem and find a solution?
Do(es) the system(s) in 192.168.4.0/24 know the route back to the client?
How can I check that? The target system .4.101 is a synology disk station running nextcloud
Does this system have ssh and tcpdump? On the OPNsense do you see any reply packets when you run tcpdump on the interface with 192.168.4.0/24?
Yes, ssh and tcpdump are available. From Opnsense Terminal I can SSH into the synology (ssh 192.168.4.101). tcpdump on opnsense on the 192.168.4.0 interface provides a lot of traffic. I can also do SSH into the synology from other subnets (192.168.2.0)
I just realized that I cannot ping anything including the gateway from the synology system. Ping using ipv6 works fine, but not IPv4? When I change the static IP of the synology system, ping works. In case I change it back to 192.168.4.101, it stops working. Weird.
It works. I have no idea why. Ping from synology to Opnsense started to work when I rebooted opnsense. So, something in Opnsense has blocked connections. I have no idea what. After the reboot, it appeared to work fine.
Remark: I assume it was Crowdsec that blocked the IP. Not sure.