OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: Andreas on October 23, 2015, 12:08:09 pm

Title: Routing Help
Post by: Andreas on October 23, 2015, 12:08:09 pm
Hi,
my Situation
Client (192.168.100.183) <-Ipsec-> OPNSense 192.168.252.96 (192.168.252.0/22) <-IPSec-> Fritz Box (10.40.1.0/24)

The Client 192.168.100.183 got just the Route 192.168.252.0./22 over IPSec. Nothing else can be configured -
My Problem is now - i wanna access the Client from the 10.40.1.0 /24 Net or other Net e.g. from OPENVPN Clients connected to the OPNSense FW...
Is there a way to do that?

Thx
Andreas
Title: Re: Routing Help
Post by: lucifercipher on October 23, 2015, 05:59:57 pm
Hi,

Did you add an allow rule for the firewall and also allowed private networks to access  ?
Title: Re: Routing Help
Post by: Andreas on October 23, 2015, 08:33:33 pm
Yes,
the firewall is open and all is allowed

Title: Re: Routing Help
Post by: lucifercipher on October 23, 2015, 10:33:14 pm
Yes,
the firewall is open and all is allowed

Ok. Thank you. Just for a small test, can you disable all types of SPI / firewall on your Fritzbox too? Or perhaps add your client IP 10.40.1.x/32 as a DMZ host on Fritz?

Just trying to give options here.
Title: Re: Routing Help
Post by: Andreas on October 24, 2015, 08:03:34 am
I think its more a Routing problem then a Firewall Problem.
Tracing the Clients shows that the Fritz Box doesnt know the way to sent the packages and i think the client
192.168.100.183 even has no routing to the 10.40.1.0/24 net
Title: Re: Routing Help
Post by: Andreas on October 24, 2015, 09:32:21 pm
Hi,
can someone pls explain what to configure for
NAT/BINAT Options in the IPSec Configuration.
I Think this would solve my problems... if i can configure it right

its like this picture shows

http://www.cisco.com/c/dam/en/us/support/docs/routers/3800-series-integrated-services-routers/107992-IOSRouter-overlapping00.gif

acutally i get in the log
Oct 24 22:18:42    charon: 14[CFG] received stroke: route 'con3'
Oct 24 22:18:42    charon: 10[CFG] added configuration 'con3'
i tried to nat the IP 192.168.100.183 to the 192.168.250.183 in the config to the Fritz Box (second phase entries added)


 what i did in the ipsec configuration to the 192.168.100.183 client you can lookup in the attachment


Thx.