OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: renaultlincoln on May 18, 2021, 09:31:20 pm
-
Hi I am new to opnsense, I have setup the openconnect client fine and I can ping the openconnect server IP 10.10.10.1 from the firewall itself ( see below)
tun30000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1269
options=80000<LINKSTATE>
inet6 fe80::20c:29ff:fed4:8e1a%tun30000 prefixlen 64 scopeid 0x10
inet 10.10.10.64 --> 10.10.10.64 netmask 0xffffffff
groups: tun
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
Opened by PID 85466
root@OPNsense:/usr/local/etc/rc.d # ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=64 time=238.202 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=312.186 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=239.129 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=239.459 ms
64 bytes from 10.10.10.1: icmp_seq=4 ttl=64 time=237.771 ms
64 bytes from 10.10.10.1: icmp_seq=5 ttl=64 time=313.507 ms
64 bytes from 10.10.10.1: icmp_seq=6 ttl=64 time=242.929 ms
64 bytes from 10.10.10.1: icmp_seq=7 ttl=64 time=238.647 ms
and I have added NAT outbound rule for openconnect as well
OpenConnect any * * * Interface address * NO
But my I still can't ping 10.10.10.1 from LAN side (192.168.1.0/24) the LAN firewall rule has default allow any rule already there, any idea? I think it might be something simple but just can't figure out, thanks in advance
-
Can you capture the Interface if packets are leaving correct?
-
Thanks, the packets on the LAN side actually exit use tun30000 interface, and the routing table is correct as well , but I just can't ping the server side internal IP, as mentioned I can ping the server side internal IP 10.10.10.1 from the opnsense firewall itself (source from tun30000 interface 10.10.10.64) below is the firewall log for the icmp ping from one of the LAN side PC to the server side internal IP
tun30000 May 19 21:59:38 192.168.1.100 10.10.10.1 icmp let out anything from firewall host itself
I think the problem might be the return traffic from the server side is somehow being blocked by the opnsense firewall, but I have tried to put allow any any on the OpenConnect interface(tun30000) as well as the LAN interface, still no luck, thanks
-
Screenshot of NAT and LAN rules please
-
Hi Thanks for the help, here is the screenshot for the NAT and LAN
I am using wireguard vpn, hence the NAT rule for the wireguard interface, for openconnect I set the destination to the openconnect lan side subnet 10.10.10.0/24
-
Hm, can you dump the traffic on Open Connect Interface during ping?
-
thanks here is the tcpdump while I am doing a ping test on a LAN pc 192.168.1.100, not sure if this is what you looking for?
root@OPNsense:~ # tcpdump -i tun30000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun30000, link-type NULL (BSD loopback), capture size 262144 bytes
21:32:21.134484 IP 192.168.1.100 > 10.10.10.1: ICMP echo request, id 1, seq 595, length 40
21:32:26.058863 IP 192.168.1.100 > 10.10.10.1: ICMP echo request, id 1, seq 596, length 40
21:32:31.072736 IP 192.168.1.100 > 10.10.10.1: ICMP echo request, id 1, seq 597, length 40
21:32:36.055714 IP 192.168.1.100 > 10.10.10.1: ICMP echo request, id 1, seq 598, length 40
-
And now please a dump when FIrewall does the ping.
-
Thanks below is the dump when the FW itself doing the ping, clearly you can see the request and reply, but that was sourced from the tun30000 interface 10.10.10.64 itself thanks
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun30000, link-type NULL (BSD loopback), capture size 262144 bytes
10:18:10.169483 IP 10.10.10.64 > 10.10.10.1: ICMP echo request, id 13071, seq 0, length 64
10:18:10.410804 IP 10.10.10.1 > 10.10.10.64: ICMP echo reply, id 13071, seq 0, length 64
10:18:11.175467 IP 10.10.10.64 > 10.10.10.1: ICMP echo request, id 13071, seq 1, length 64
10:18:11.417126 IP 10.10.10.1 > 10.10.10.64: ICMP echo reply, id 13071, seq 1, length 64
10:18:12.184650 IP 10.10.10.64 > 10.10.10.1: ICMP echo request, id 13071, seq 2, length 64
10:18:12.427409 IP 10.10.10.1 > 10.10.10.64: ICMP echo reply, id 13071, seq 2, length 64
10:18:13.198052 IP 10.10.10.64 > 10.10.10.1: ICMP echo request, id 13071, seq 3, length 64
10:18:13.445642 IP 10.10.10.1 > 10.10.10.64: ICMP echo reply, id 13071, seq 3, length 64
10:18:14.207899 IP 10.10.10.64 > 10.10.10.1: ICMP echo request, id 13071, seq 4, length 64
10:18:14.449521 IP 10.10.10.1 > 10.10.10.64: ICMP echo reply, id 13071, seq 4, length 64
10:18:15.237194 IP 10.10.10.64 > 10.10.10.1: ICMP echo request, id 13071, seq 5, length 64
10:18:15.478965 IP 10.10.10.1 > 10.10.10.64: ICMP echo reply, id 13071, seq 5, length 64
10:18:16.247675 IP 10.10.10.64 > 10.10.10.1: ICMP echo request, id 13071, seq 6, length 64
10:18:16.488143 IP 10.10.10.1 > 10.10.10.64: ICMP echo reply, id 13071, seq 6, length 64
10:18:17.258097 IP 10.10.10.64 > 10.10.10.1: ICMP echo request, id 13071, seq 7, length 64
10:18:17.498706 IP 10.10.10.1 > 10.10.10.64: ICMP echo reply, id 13071, seq 7, length 64
10:18:18.270969 IP 10.10.10.64 > 10.10.10.1: ICMP echo request, id 13071, seq 8, length 64
10:18:18.517066 IP 10.10.10.1 > 10.10.10.64: ICMP echo reply, id 13071, seq 8, length 64
10:18:19.275054 IP 10.10.10.64 > 10.10.10.1: ICMP echo request, id 13071, seq 9, length 64
10:18:19.515441 IP 10.10.10.1 > 10.10.10.64: ICMP echo reply, id 13071, seq 9, length 64
-
Can you arrange that you get a fixed IP and Set it in outbound Nat instead of Interface address
-
Hi thanks tried to set the NAT Address use 10.10.10.64 instead of use the interface address, but same result. interface address should be the same as 10.10.10.64 anyway, so can't see the point here, any other suggestion? thanks