Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: zemanek on October 04, 2024, 11:40:59 AM

Title: SNAT for traffic through route based VPN (VTI) ?
Post by: zemanek on October 04, 2024, 11:40:59 AM
Hello,

I have setup route based VPN named T1 according to https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html:

Local VTI address: 10.101.177.2
Remote VTI address: 10.101.177.1

OPNsense WAN address: 10.100.177.10/24

This created interface T1, I created gateway using this interface with IP 10.101.177.1 and added route to 10.0.1.0/24 through this gateway.

Now when I PING a host in 10.0.1.0/24 from the OPNsense , I can see in packet capture that packets going into the VPN have source IP address 10.101.177.2 (local VTI address).

I need them to have source IP address 10.100.177.10. How do I do that? I tried setting SNAT for the T1 interface to have WAN interface address for anything going to 10.0.1.0/24 but that didn't help.
Title: Re: SNAT for traffic through route based VPN (VTI) ?
Post by: Monviech (Cedrik) on October 04, 2024, 01:06:22 PM
You need to set tunables to change the filter behavior of ipsec.

https://docs.opnsense.org/manual/vpnet.html#route-based-vti

Please note that you can ONLY have either filtering and nat on enc0 (which is shown as IPsec in the GUI), OR on ipsecX interfaces.
Title: Re: SNAT for traffic through route based VPN (VTI) ?
Post by: zemanek on October 04, 2024, 02:01:19 PM
Thanks. I missed that. So I set those tunables. Now the ICMP does not even get into the VPN. I also noticed

Warning
Currently it does not seem to be possible to add NAT rules for if_ipsec(4) devices.

So I guess I am out of luck here...
Title: Re: SNAT for traffic through route based VPN (VTI) ?
Post by: Monviech (Cedrik) on October 04, 2024, 02:53:34 PM
https://forum.opnsense.org/index.php?topic=36254

Read this whole thread and a lot of your questions will be answered. :)

Title: Re: SNAT for traffic through route based VPN (VTI) ?
Post by: viragomann on October 04, 2024, 04:49:13 PM
Quote from: zemanek on October 04, 2024, 11:40:59 AM
I need them to have source IP address 10.100.177.10.

Why?
This would lead into asymmetric routing.
Title: Re: SNAT for traffic through route based VPN (VTI) ?
Post by: zemanek on October 07, 2024, 12:41:42 PM
@Monviech

Doesn't work for me. It seems that if I enable SNAT for the ipsec interface (using WAN address as source IP) it is sending testing ICMP packets through WAN interface and not through ipsec interface as it should according to route table.

Title: Re: SNAT for traffic through route based VPN (VTI) ?
Post by: zemanek on October 07, 2024, 04:08:22 PM
Well, I looked at configuration XML and found that there are some references to nonexistent ipsec interfaces. As I previously encountered an issue with configuration of older OPNsense version / other instance with mixed up configuration after numerous experiments, I decided to do a factory reset and configure everything from scratch.

But now whenever I apply new IPsec connection, I loose ALL connectivity to the OPNsense instance (I have to do a factory reset via the console).
Text only | Text with Images