Dear all,
Inside my LAN, there ist a wireguard server (connecting to other sites, of course).
My OPNsense knows about the route.
Now, if I access one of my Cloud Servers (using my PC), the outgoing connection will go via the OPNsense:
laptop:~$ tracepath -n 10.20.50.7
1?: [LOCALHOST] pmtu 1412
1: 192.168.150.1 1.284ms
1: 192.168.150.1 1.047ms <--- OPNSense
2: 192.168.150.150 1.585ms asymm 1 <--- wireguard server LAN Interface
3: 10.20.50.1 25.557ms asymm 2
4: 10.20.50.7 25.343ms !H
Resume: pmtu 1412
However, the way back into the LAN does NOT go via the OPNsense:
cloud-server-1:~# tracepath -n 192.168.150.205
1?: [LOCALHOST] pmtu 1280
1: 10.20.50.1 0.700ms
1: 10.20.50.1 0.591ms
2: 10.20.50.3 22.306ms <--- Wireguard Server wg0 Interface
3: 192.168.150.205 23.537ms reached
Resume: pmtu 1280 hops 3 back 3
Since OPNsense doesn't see the incoming traffic, the State Table will close any SSH connection after 15 minutes (Firewall Optimization is set to "conservative"). I call this situation "sub optimal".
Is anybody kind enough to give me a hand?
How can I get around this situation?
Is there a way to tell OPNsense "If traffic is going this way (10.20.50.0/24), never close the connection"?
At the moment, I am a little bit clueless...
Kind regards!
Answering my own question:
mimugmail posted a short but effective answer (https://forum.opnsense.org/index.php?topic=34815.msg168643#msg168643 (https://forum.opnsense.org/index.php?topic=34815.msg168643#msg168643)) , saying:
QuoteIn GUI set the filter rule, at the bottom tick advanced, scroll down, "keep state" to none
Indeed, this solved my troubles.
Chapeau! Thank you, mimugmail!
Since stateful filtering is a reasonable setting, why don't you activate keepalive for the SSH connection?
In .ssh/config place:
Host *
ServerAliveInterval 30