OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: interfaSys on April 15, 2016, 06:46:44 pm

Title: Proxy avoids Firewall set gateway group every time a gateway (VPN) is down
Post by: interfaSys on April 15, 2016, 06:46:44 pm
The VLAN has a set of firewall rules which say:
* VLANnet to VLANnet -> * GW
* VLANnet to -> * GW (We can't change this GW, the rule comes from Port Forward)
* VLANnet to  ! VLANnet -> VPN_GW

VPN_GW is a group. Within this group the default GW is set to "Never"

We can't pick a GW for the proxy, so I'm guessing it follows the rules set by the firewall, but this might be where there is a problem.

There are also a bunch of outbound NAT rules in hybrid mode for and VLANnet (VPN rules first and the automated rules at the bottom).

In System: Settings: Miscellaneous, there is a setting which is called: Skip rules when gateway is down
By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down
I've ticked this box since this is exactly the behaviour I want to avoid

Everything is working fine, traffic is routed correctly, through the proxy and through one of the VPN GW, but if I stop one of the VPN connections, then all traffic is routed through the default GW.

It seems that when a VPN connection is taken down, routes are altered, but the system setting is not having the expected effect and the default gateway is used.

Title: Re: Firewall bypassed every time any OpenVPN connection is restarted
Post by: interfaSys on April 15, 2016, 06:58:55 pm
For as long as one of the VPN link is down, the firewall/GW group is bypassed. As soon as I bring it up, everything is routed properly again.

While the link is down, I've noticed that HTTP sites connect directly while HTTPS sites use the VPN, so the HTTP proxy just waits for all routes to be back up before taking the one assigned to the VLAN.