OPNsense Forum
Archive => 15.7 Legacy Series => Topic started by: pboe on November 19, 2015, 04:23:50 pm
-
Hi everyone,
i want to switch from an old pfsense installation with an openvpn VPN to an opnsense 15.7.19 installation with multi wan and IPsec mobile setup.
So far so good, the installation is running, multi wan working and IPsec is setup.
I can connect by an OSX 10.11.1 Client via IPsec and get access to web frontend of the opnsense installation.
But any DNS lookups through the tunnel run into a timeout.
From the resolve.log i can see, that any client side nslookup is processed by the unbound resolver, but it seems that the answer isn't routed back through the tunnel to the vpn client.
Any help is appreciated.
System:
OPNsense 15.7.19-amd64
FreeBSD 10.1-RELEASE-p23
OpenSSL 1.0.2d 9 Jul 2015
Intel(R) Xeon(R) CPU E31220 @ 3.10GHz
4 CPUs: 1 package(s) x 4 core(s)
Mobile Clients:
User authentication: Local Database
Group Authentication: none
Virtual Address Pool:
Provide A virtual IP: Checked
10.190.39.0/24
DNS Servers: Checked
10.190.30.253
Tunnel Phase1:
Key Exchange: V1
IP: IPV4
Interface: WAN1
Authentication Method: Mutual PSK+Xauth
Negotiation Mode: Aggressive
My Identifier: My IP Address
Peer Identifier: Distinguished Name
foo
Pre-Shared Key: bar
Encryption algorithm: 3DES
Hash Algorith: SHA1
DH Key Group: 2 (1024)
Lifetime: 28800
Disable Rekey: Not Checked
Disable Reauth: Not Checked
NAT Traversal: Enable
Dead Peer Detection: Not Checked
Phase 2:
Mode: Tunnel IPv4
Type: LAN Subnet
Address: Left blank
Nat/Binat: None
Address: Left blank
/128
Protocol: ESP
Encryption: Checked: AES, auto; Blowfish, auto; 3DES, CAST128
Hash Algs: MD5, SHA1
PFS Keygroup: OFF
Lifetime: 3600
Auto Ping Host: Left blank
Firewall->NAT->Outbound:
Automatic outbound NAT: Checked
WAN 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * 500 WAN address * YES Auto created rule for ISAKMP
WAN 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * * WAN address * NO Auto created rule
VDSL 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * 500 VDSL address * YES Auto created rule for ISAKMP
VDSL 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * * VDSL address * NO Auto created rule
Firewall->Rules->Lan:
* * * LAN Address 443/80/22 * Anti-Lockout Rule
IPv4 * LAN net * * * * Default allow LAN to any rule
IPv4 * LAN net * * * Load_Balancing Load Balancing
IPv4 * LAN net * * * WAN1failover If WAN fails switchover to VDSL
IPv4 * LAN net * * * WAN2failover If VDSL fails switchover to WAN
Firewall->Rules-IPSec:
IPv4 * * * * * *
DNS Resolver->Access Lists
Action: Allow
Networks: 10.190.0.0/16
-
Do you get the same result when you use a public DNS server, like 8.8.8.8 from google or 208.67.220.220 from OpenDNS?
-
Using an external DNS is working, by setting the clients DNS to e.g. 8.8.8.8. But i think that traffic is not going through the tunnel.
-
Is the opnsense firewall the only router you have running on your network at the moment?
Try searching for "ip" in a Google search when connected over VPN. If the result comes up as a/one of the wan IP's that is associated with the firewall, then traffic is indeed flowing over the VPN.
I'm not sure how things have changed for VPN in OS X, as I quit using Mac just as 10.7.0 came out, but make sure that the option for "send all traffic" is checked in the VPN settings.
-
Hi Exitcomestothis,
i'm using only IPSec not L2TP. So on theOSX 10.11 client side i have no option to route all traffic through the tunnel. Therefore if i google my IP adress i get the external IP of the local router the client is connected to.
In the VPN the opnsense box is not the only router, but it doesn't make a difference if i pull the plug of the main router which should be replaced by the opnsense box.
The strange thing is, that the resolver receives the DNS request and also resolves it, but the answer is not getting through to the client.
Thanks for your help, i appreciate that.
Paul