Folks,
We are evaluating opnsense as a shared vpn gateway platform. We are trying to send traffic from our F5 machine to opnsense but it is getting blocked at opnsense. Below is the rule details from Firewall -> Log Files -> Live View. Please help us understand why this is happening. We have been troubleshooting for hours but of no success. Thanks.
__timestamp__ 2026-02-24T12:39:58
ack 0
action [block]
anchorname
datalen 0
dir [in]
dst 10.77.33.101
dsthostname 10.77.33.101
dstport 443
ecn
id 2507
interface hn2
ipflags DF
ipversion 4
label Default deny / state violation rule
length 40
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 4
seq 2427568749
src 198.18.250.10
srchostname 198.18.250.10
srcport 65005
status 2
subrulenr
tcpflags RA
tcpopts
tos 0x0
ttl 255
urp 0
Quote from: multazimd on Today at 01:50:00 PMWe are evaluating opnsense as a shared vpn gateway platform.
What is the used VPN Protocol ?
QuoteWe are trying to send traffic from our F5 machine to opnsense but it is getting blocked at opnsense.
I see traffic getting blocked that comes from a Public IP Address 198.x.x.x and wants to go to a Private IP Address 10.x.x.x and to be honest that makes no sense to me :
I would expect to see traffic between two Public IP Addresses and once that traffic has made the right handshake the VPN traffic should appear between those two Public IP Addresses using Private IP Addresses for the VPN traffic.
Are you sure you have got all the right Firewall and NAT Rules configured for this ?
What does the VPN Client configuration look like ?
TL;DR : You need to post more information about your setup. Feel free to use fake IP addressing if needed...
Its an IPSec Route based VPN. Here is the logical architecture diagram of the traffic that is working for us from remote end over public to opnsense.
Remote End -> OPNSENSE External Interface -> OPNSENSE VPN Tunnel -> OPNSENSE Internal Interface -> F5 LB -> App Machine
We have requirements for our app machines to reverse call certain private URLs on remote end via VPN Tunnel established above and We are not able to get this working.
Below is the logical architecture we are trying to achieve:
App Machine -> F5 -> OPNSENSE Internal Interface -> OPNSENSE VPN Tunnel Interface -> Remote End URL
Unfortunately traffic is being dropped at OPNSENSE Internal interface by default deny rule which we do not have control over.
Quote from: multazimd on Today at 01:50:00 PM[...]tcpflags RA[...]
Interesting. Generally you see default denies when there is no established session, often due to asymmetric routing (of which OPNsense is fairly tolerant). The RSET suggests a closed port (in addition).
Quote from: nero355 on Today at 02:15:21 PM[...]You need to post more information about your setup.[...]
Seconded. This means interfaces, rulesets, routing, and VPN state. Perhaps some basic verification of connectivity.
Someone with a similar setup and experience might happen by, but if you'd rather not wait...