OPNsense Forum
English Forums => General Discussion => Topic started by: joost123 on December 22, 2023, 12:12:56 am
-
Hi,
I'm have installed OPNsense in Azure as NVA. The setup:
1 (hub) vnet with address spaces:
* 172.30.0.0/20
* 192.168.123.0/24
subnets:
* 172.30.1.0/24 (default)
* 192.168.123.0/24 (ext)
OPNsense network interfaces:
* WAN (hn0) 192.168.123.4 (DHCP)
* LAN (hn1) 172.30.1.254 (DHCP)
(172.30.1.254 (default subnet))-[OPNsense]-(192.168.123.4 (ext subnet)) <-> (public ip to internet)
I have created an outbound nat rule for 172.30.0.0/16 and an azure routing rule that 0.0.0.0/0 is routed throug OPNsense (172.30.1.254). This works perfectly. All machines from within the default subnet (172.30.1.0/24) can access the internet, no problem
Additionally to this I've added a spoke vnet with address range 172.30.32.0/20 and added a subnet 172.30.32.0/24. I created a peering to the hub vnet and also the azure route (UDR) that all 0.0.0.0/0 traffic goes through OPNsense (172.30.1.254).
Now the problem:
I want to outbound nat from the peered vnet via opnsense, machines internet access.
This works perfectly for tcp traffic, but for icmp/udp this does not work.
By looking at the packet capture (see attachment), the reply from the server (ping to 1.1.1.1) is routed to the wan interface, which (in my perspective) must be the lan interface.
I've tried a lot of things with routes, udr routes, nothing to get it to work.
Does some have an idea what i am doing wrong?
Kind regards,
Joost