There is an organization network, everything works properly. The organization built another building. The networks are united using a secure channel (KSPD). The problem arose in that from the address 10.62.65.13 you can easily connect to 10.62.70.59, but on the contrary, opnsense blocks the connection. For the third day I cannot understand what this is connected with. Please help me solve the problem.
network diagram (https://ibb.co/qY7sSqmk)
lan (https://ibb.co/nq8Bm6wm)
KSPD (https://ibb.co/Kcb548tz)
log (https://ibb.co/FbzmDPwF)
Your rule on the KSPD allows only access from source IP out of the KSPD net, which is 10.62.65.0/24. However, the arriving packet from the remote site is not translated, it is from 10.62.70.59.
So you probably want to allow access from 10.62.70.0/24.
Yes, I need to be able to connect from 10.62.70.10/24 to 10.62.65.0/24, and even better, I need the 172.17.32.0/21 network to also be able to interact with these networks.
So configure the rules accordingly.
And if it's the WAN interface also go to the interface settings and uncheck "block private addresses".
Please tell me what rule and on what interface should there be so that 10.62.70.0/24 can interact with all other networks?
As I wrote above already, on the KSPD interface add a rule
source: 10.62.70.0/24
destination: LAN net
> and even better, I need the 172.17.32.0/21 network to also be able to interact with these networks.
This requires, that the KSPD routes the traffic to OPNsense. I assume, you're actually natting the traffic?
Yes, I use natting the traffic so that the lan united one network.
I did as you said, but opnsense still blocks the connection.
KSPD (https://ibb.co/5WcHKZ08)
log (https://ibb.co/VWhQD0Lc)
This is a different interface and different sources though.
And the blocked packets are SYNACK, which indicates an asymmetric routing.
Does the destination device use a different default gateway than OPNsense by any chance?
Organization A KSPD
gateway 10.62.65.254
Organization B KSPD
gateway 10.62.65.254
lan gateway 172.17.32.1
Both organizations use a coordinator to communicate with each other via the KSPD channel.
What we are seeing as blocked in the recent log is a obviously respond packet from 10.62.65.13. This means, that the request packet obviously didn't pass OPNsense.
So possibly it went directly from the KSPD to 10.62.65.13. But this machine used OPNsene as default gateway and hence sens packets destined to the other building to it.
Your network diagram shows that the KSPD has als an IP in 10.62.65.0/24. Naturally it sends packets destined to 10.62.65.13 directly to the device, but not to OPNsense.
I'll try to fix the network now
Now incoming traffic from IP 10.62.70.59/24 has completely disappeared, there is only outgoing traffic.
this is the only thing that is recorded in the
log (https://ibb.co/cKfYtc4p)
I started DHCP on KSPD and got this log
log (https://ibb.co/gZS7Cmdb)
Quote from: Shild73 on June 05, 2025, 06:31:53 PMNow incoming traffic from IP 10.62.70.59/24 has completely disappeared, there is only outgoing traffic.
Did you even enable logging in the rule?
Quote from: viragomann on June 05, 2025, 05:30:12 PMWhat we are seeing as blocked in the recent log is a obviously respond packet from 10.62.65.13. This means, that the request packet obviously didn't pass OPNsense.
So possibly it went directly from the KSPD to 10.62.65.13. But this machine used OPNsene as default gateway and hence sens packets destined to the other building to it.
Your network diagram shows that the KSPD has als an IP in 10.62.65.0/24. Naturally it sends packets destined to 10.62.65.13 directly to the device, but not to OPNsense.
Disabled the second interface on the server, which was directly connected to 10.62.65.0/24. Only Lan 172.17.39.13/21 remained + additionally registered 10.62.65.13 on the card.
Another log (https://ibb.co/nNf9kRCt)
Personally, I don't get the overall topology.
OrgA (Right):
The FW icon is OPN, right?
With 3 interfaces?
* WAN - 192.168.0.254/24
* LAN - 172.17.32.1/21
* KSPD_A - 10.62.65.254/24
OrgB (Left) has one interface KSPD_B - 10.62.70.254/24
Clarity was be improved if interfaces had different names in both orgs... We're looking at screens and it's not obvious which side they belong too.
Quote from: Shild73 on June 05, 2025, 05:12:27 PM...
Both organizations use a coordinator to communicate with each other via the KSPD channel.
What does that mean?
And then there's a machine in OrgA that's dual homed (on LAN & KSPD)???
Quote from: EricPerl on June 05, 2025, 11:02:24 PMOrgA (Right):
The FW icon is OPN, right?
With 3 interfaces?
* WAN - 192.168.0.254/24
* LAN - 172.17.32.1/21
* KSPD_A - 10.62.65.254/24
Yes. this is an OPNsense.
The WAN is used to access the Internet. KSPD is a secure network with no Internet access. To access both networks from the same computer, I use a LAN with prescribed access to services via System: Routes
interface (https://iimg.su/i/RE8KKZ)
Quote from: EricPerl on June 05, 2025, 11:02:24 PMOrgB (Left) has one interface KSPD_B - 10.62.70.254/24
Clarity was be improved if interfaces had different names in both orgs... We're looking at screens and it's not obvious which side they belong too.
coordinator (https://infotecs.ru/products/vipnet-coordinator-hw-4/)
Quote from: EricPerl on June 05, 2025, 11:02:24 PMAnd then there's a machine in OrgA that's dual homed (on LAN & KSPD)???
I tried to register 172.17.39.13/21 and 10.62.65.13/24 on the same interface so that 10.65.70.59 would gain access to the server.
I'm not opening that coordinator link and all info on that product seems to be in Russian anyway.
I'll assume some sort of overlay network to establish site to site connectivity. Is it essentially a VPN appliance?
I assume the loop is completed over the internet. That initial diagram is clearly missing pieces...
Do you confirm?
There's another router with internet connectivity in OrgB? OPN as well?
And please attach screenshots directly to your reply (using preview or reply, versus quick reply).
I'm not following another link in this thread.
The root cause was asymmetric routing: the initial packet from 10.62.70.59 reached its destination via a direct path (likely bypassing OPNsense), but the response went back through OPNsense, which dropped it due to missing state.
Also, it's crucial to use standard network terminology.
The term "KSPD" is not a recognized networking acronym and only leads to confusion. If it's a VPN or site-to-site tunnel, refer to it as such.