OPNsense Forum

English Forums => General Discussion => Topic started by: smooth_81 on November 21, 2019, 01:51:47 pm

Title: Avoid Traffic between IPSec Tunnel
Post by: smooth_81 on November 21, 2019, 01:51:47 pm

is there a simple way to avoid traffic between S2S-tunnel?

we have a bunch of tunnel all connecting to a central site
VPN Setup ist always like this:

remote Site: 10.32.X.0/24
central Site: 10.0.0.0/8

this is needed because we have several non-continous Networks used in central site like 10.1.0.0/22 and 10.99.0.0/16 or similar

Now i need to restrict traffic only from remote site to central site and not between two remote sites.

Title: Re: Avoid Traffic between IPSec Tunnel
Post by: lfirewall1243 on November 22, 2019, 06:19:02 pm

Create a Rule that just allows traffice from the remote Sites to the Networks you want to allow :)

Title: Re: Avoid Traffic between IPSec Tunnel
Post by: smooth_81 on November 28, 2019, 09:12:19 am

i thougt there was an easier way... Adding 600+ Rules is not the work i wanted to do  :-\

where do i implement those rules? On Interface IPSec oder LAN?

Title: Re: Avoid Traffic between IPSec Tunnel
Post by: banym on November 28, 2019, 09:27:35 am

Hi,

by default there should no traffic be allowed from side 2 side over the central.

The Routing from the remote side shouldn't point into the IPsec Tunnel and the ruleset in the central firewall can be configured as needed.

If you work with ANY to ANY rules, that is not the way you should implement an firewall rule set.

Even with a lot of networks you can organize it quite well using aliases for the networks and only allow the traffic like you want it.

Regards,
Dominik

Title: Re: Avoid Traffic between IPSec Tunnel
Post by: smooth_81 on December 14, 2019, 08:15:15 am

I know that the Design of the VPN Network is not ideal, but on the other side there are plenty FritzBox Devices which are a paint to configure for vpn.
I can not use multiple phase2 SA for example. And my last test with two separate VPN to the same remote Site but different Phase2 IP networks did not work either

So my only option is to put the whole 10.0.0.0/8 in the Tunnel definition.
On Cisco ASA there is a Option to avoid or allow Traffic returning to the same Interface. Forcing packets to travel through the firewall and routing to a different interface.
I don't know if this is possible with opnsense too.

If a have to implement firewall rules to avoid the traffic between the vpn sites. Where do I have to put them? On Interface IPSec? Or on WAN? Or are these floating Rules?
And how will the performance be impacted with the number of rules counting up?
Even when using Aliases I will have to put around 400 Lines for 200 tunnel and we are still growing with around 600 tunnel in the end.
And we have another project in mind where we would need much more tunnel (will be another opnsense btw)