OPNsense Forum

English Forums => General Discussion => Topic started by: alfemann on September 30, 2017, 01:03:33 pm

Title: Is Proxy ARP the solution..?
Post by: alfemann on September 30, 2017, 01:03:33 pm: Current firewall is getting old, and I am planning to switch it with a computer running OpnSense.
I have one issue that I cannot seem to find an answer to ;
Our LAN is 10.10.11.0/24 and we are connected to a service we use through IPSEC, and the remote network is 10.1.1.0/24.

Here is the snag : the old Sonicwall set aside a few addresses in the LAN-segment for road-warriors connecting with SSL-VPN - and the remote network only knows that 10.10.11.0/24 is available though the tunnel.
I want to use OpenVPN road warrior setup, but the setup requires a separate (virtual?) subnet for these connections - meaning roadwarriors will have addresses outside of the LAN. If I can't change or add the routing on the remote side - how can I either ;
a) assign roadwarriors IPs from the LAN-segment (ideally using DHCP-relay to another server) ?
b) make traffic from roadwarriors seem like it comes from LAN-IPs when they in fact do not.

My instinct tells me to look closer at ProxyARP, but I am not sure, and I cannot seem to find thorough docs on the subject.

Does anyone have ideas as to the solution, and does anyone know some good examples and documentation for proxy-arp ?

========
Alf
Title: Re: Is Proxy ARP the solution..?
Post by: mimugmail on September 30, 2017, 01:42:11 pm: No, you need SPD entries in your ipsec setup and NAT

https://mimugmail.github.io/NATbeforeIPSEC.html

It looks a bit different now, but you should get it to work.
Title: Re: Is Proxy ARP the solution..?
Post by: Stephan on October 01, 2017, 11:48:58 am: Another approach would be to set up openVpn with tap and bridge the lan device with the tap device.
You then can assign an additional dhcp segment in the openVpn settings or leave it blank and the clients will get leases from them default dhcp settings.

So the openVpn clients are directly connected to Your lan (bridge) - in addition You will have to set up the bridge with the settings You used for the lan, as this is our new lan device.

Cheers,

Stephan
Title: Re: Is Proxy ARP the solution..?
Post by: alfemann on October 02, 2017, 12:56:09 pm: Unfortunately, only the physical interfaces are listed as possible members when creating a bridge. Neither Openvpn nor IPSEC interfaces/tunnels are listed in any way... I am running 17.7.4 btw
Title: Re: Is Proxy ARP the solution..?
Post by: alfemann on October 02, 2017, 01:38:20 pm: Quote from: mimugmail on September 30, 2017, 01:42:11 pm
No, you need SPD entries in your ipsec setup and NAT

https://mimugmail.github.io/NATbeforeIPSEC.html

It looks a bit different now, but you should get it to work.

I made this work!! Thank you so much!!
Title: Re: Is Proxy ARP the solution..?
Post by: Stephan on October 02, 2017, 02:30:27 pm: Quote from: alfemann on October 02, 2017, 12:56:09 pm
Unfortunately, only the physical interfaces are listed as possible members when creating a bridge. Neither Openvpn nor IPSEC interfaces/tunnels are listed in any way... I am running 17.7.4 btw

Hi, well - meanwhile You got it running^^ *thumbsup*
nevertheless I wonder why You don't see the TAP interface? <-- it's only working with a TAP configuration in openVPN

Cheers, Stephan
Title: Re: Is Proxy ARP the solution..?
Post by: alfemann on October 03, 2017, 09:05:57 pm: Quote from: Stephan on October 02, 2017, 02:30:27 pm
Quote from: alfemann on October 02, 2017, 12:56:09 pm
Unfortunately, only the physical interfaces are listed as possible members when creating a bridge. Neither Openvpn nor IPSEC interfaces/tunnels are listed in any way... I am running 17.7.4 btw

Hi, well - meanwhile You got it running^^ *thumbsup*
nevertheless I wonder why You don't see the TAP interface? <-- it's only working with a TAP configuration in openVPN

Cheers, Stephan

I would like to know that as well !