Current firewall is getting old, and I am planning to switch it with a computer running OpnSense.
I have one issue that I cannot seem to find an answer to ;
Our LAN is 10.10.11.0/24 and we are connected to a service we use through IPSEC, and the remote network is 10.1.1.0/24.
Here is the snag : the old Sonicwall set aside a few addresses in the LAN-segment for road-warriors connecting with SSL-VPN - and the remote network only knows that 10.10.11.0/24 is available though the tunnel.
I want to use OpenVPN road warrior setup, but the setup requires a separate (virtual?) subnet for these connections - meaning roadwarriors will have addresses outside of the LAN. If I can't change or add the routing on the remote side - how can I either ;
a) assign roadwarriors IPs from the LAN-segment (ideally using DHCP-relay to another server) ?
b) make traffic from roadwarriors seem like it comes from LAN-IPs when they in fact do not.
My instinct tells me to look closer at ProxyARP, but I am not sure, and I cannot seem to find thorough docs on the subject.
Does anyone have ideas as to the solution, and does anyone know some good examples and documentation for proxy-arp ?
========
Alf
No, you need SPD entries in your ipsec setup and NAT
https://mimugmail.github.io/NATbeforeIPSEC.html
It looks a bit different now, but you should get it to work.
Another approach would be to set up openVpn with tap and bridge the lan device with the tap device.
You then can assign an additional dhcp segment in the openVpn settings or leave it blank and the clients will get leases from them default dhcp settings.
So the openVpn clients are directly connected to Your lan (bridge) - in addition You will have to set up the bridge with the settings You used for the lan, as this is our new lan device.
Cheers,
Stephan
Unfortunately, only the physical interfaces are listed as possible members when creating a bridge. Neither Openvpn nor IPSEC interfaces/tunnels are listed in any way... I am running 17.7.4 btw
Quote from: mimugmail on September 30, 2017, 01:42:11 PM
No, you need SPD entries in your ipsec setup and NAT
https://mimugmail.github.io/NATbeforeIPSEC.html
It looks a bit different now, but you should get it to work.
I made this work!! Thank you so much!!
Quote from: alfemann on October 02, 2017, 12:56:09 PM
Unfortunately, only the physical interfaces are listed as possible members when creating a bridge. Neither Openvpn nor IPSEC interfaces/tunnels are listed in any way... I am running 17.7.4 btw
Hi, well - meanwhile You got it running^^ *thumbsup*
nevertheless I wonder why You don't see the
TAP interface? <-- it's only working with a TAP configuration in openVPN
Cheers, Stephan
Quote from: Stephan on October 02, 2017, 02:30:27 PM
Quote from: alfemann on October 02, 2017, 12:56:09 PM
Unfortunately, only the physical interfaces are listed as possible members when creating a bridge. Neither Openvpn nor IPSEC interfaces/tunnels are listed in any way... I am running 17.7.4 btw
Hi, well - meanwhile You got it running^^ *thumbsup*
nevertheless I wonder why You don't see the TAP interface? <-- it's only working with a TAP configuration in openVPN
Cheers, Stephan
I would like to know that as well !