OPNsense Forum
English Forums => Virtual private networks => Topic started by: wrobelda on March 16, 2022, 11:33:58 pm
-
I managed to set up selective routing via WG VPN for LAN clients (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html). Now I also want to route traffic originating from a service bound to a Virtual IP (10.0.0.91) configured on the LAN interface, i.e. from the firewall appliance itself.
I can see that the service running is successfully bound to the Virtual IP, looking at the tcpdump -ni vtnet0 output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:31:34.414408 ARP, Request who-has 10.0.0.91 tell 10.0.0.100, length 46
23:31:34.414456 ARP, Reply 10.0.0.91 is-at 62:15:db:f6:60:1b, length 28
23:31:34.418506 IP 10.0.0.100.51915 > 10.0.0.91.80: Flags [S], seq 120292338, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1261429721 ecr 0,sackOK,eol], length 0
However, my understanding is that these packets internally do not pass the LAN interface table, so the selective routing rule I have set up for LAN hosts won't do. I tried searching for a similar issue solved here, but no luck.
Any idea how to proceed here? I will appreciate help.
EDIT: Seems related: https://forum.opnsense.org/index.php?topic=16252.0
EDIT: OK, seems this is the culprit: https://forum.opnsense.org/index.php?topic=23399.msg111294#msg111294
However, disabling the forced gateway does *not* create a set of manual rules here. Investigating further.
EDIT: OK, I re-added the manual floating rule to "let out anything from firewall host itself (force gw)", so that I can add another rule above it, except nothing I do has any effect. I am clueless.
-
Does anyone have any idea regarding this? A definite answer whether or not it is possible to selectively route specific *service's* traffic (which is bound to a Virtual IP) would be appreciated.