OPNsense Forum

English Forums => General Discussion => Topic started by: Ulrar on October 16, 2020, 02:03:43 pm

Title: Incoming connections on vpn are answered on wrong interface
Post by: Ulrar on October 16, 2020, 02:03:43 pm

Hi opnsense forums,

I have an OpenVPN client connection on my router that I use to get a fixed public IP, as my ISP sadly does some horrible stuff on the WAN interface. So my ovpnc2 interface has a proper dedicated publicly routed IP.

I have a mail server machine I've been trying to setup in the LAN, and I've created a floating firewall rule saying that anything coming from that machine on the LAN interfaces should use the VPN Gatway, which works fine. When I do a "curl ifconfig.me" on that email machine for example I do get the public IP from the vpn interface.

For the other way around I have a port redirect setup to forward tcp port 25 on the vpn interface to that machine on the lan.
Using tcpdump and packet captures on both the machine and the router I can see that incoming connections on port 25 are indeed sent to the mail server, and it's responding fine. But I can see on the router that the paquets are going out the WAN interface, not the VPN interface. Even stranger they are using the VPN interface's IP as a source, on the WAN interface, which of course does not work.

Any idea what I could be missing ? My default gateway is the WAN (but overriding it with floating rules works), my NAT is configured as hybrid and I did setup a rule for the vpn interface (and it seems to be valid since outgoing connections through the vpn are working) and I can't find any other rule that would explain it responding through the wrong interface.

Thanks

Title: Re: Incoming connections on vpn are answered on wrong interface
Post by: Gauss23 on October 16, 2020, 03:17:00 pm

Firewall: Settings: Advanced

"Automatic outbound NAT for Reflection" is enabled?

Title: Re: Incoming connections on vpn are answered on wrong interface
Post by: Ulrar on October 16, 2020, 03:48:09 pm

It wasn't, tried turning it on and re-saving and applying the port forward rule but no change, it's still going back through the wan

Title: Re: Incoming connections on vpn are answered on wrong interface
Post by: Ulrar on October 16, 2020, 07:56:25 pm

So one thing I've noticed while looking into this some more is that no outbound rules are actually being generated.
I think the issue might be that the VPN is somehow misconfigured : I ticked "Dynamic gateway policy" but with or without that setting the Gateway it generates is wrong. When editing the gateway the IP field says "dynamic" but when looking at the status it's using the vpn's interface IP.
And when using it that's confirmed : any traffic routed "through" the VPN ends up hitting the router itself instead of going through the tunnel. As a workaround I've changed the gateway IP from "dynamic" to some random IP in the bloc, which works fine, but it really shouldn't have an IP at all.

Could this be why it's not working right ? I'm guessing opnsense isn't really considering my vpn interface as a wan because it doesn't really have a gateway associated with it, just a dirty hack, so it gets confused.