OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: Joerg on June 10, 2016, 05:11:48 pm

Title: VLAN <--> VPN traffic
Post by: Joerg on June 10, 2016, 05:11:48 pm

I think I need a little help from someone who can point me in the right direction.
Just a little bit to my setup. I have one WAN connection and several VLANS to keep the things separated. I have a permanent VPN to the US which is currently connected to a FritzBox over there. The Tunnel phase2 is set to one VLAN. So far so good most of the traffic in this VLAN goes to the VPN. But when I ping my local WAN address OPNsense decide to send the traffic directly to my local WAN interface. Is there a way to deny that? I managed with a simple access rule with an Alias that the traffic goes not to the other VLAN’s. I really like to access my wan interface but from my US IP-Address.

Many thanks for some good ideas  ;)
Title: Re: VLAN <--> VPN traffic
Post by: bartjsmit on June 10, 2016, 06:34:31 pm
No router will forward a packet for a subnet that it has an interface on.

If you want to connect to your external WAN interface from the public side, you will need to do it from a host that does not have OPNsense as its default gateway.

Any reason why you want the traffic to take the scenic route?

Title: Re: VLAN <--> VPN traffic
Post by: franco on June 10, 2016, 08:54:53 pm
Hi Jörg,

I'm with Bart here, maybe I did not get this completely... it's going to be rather difficult.

Routing through the VPN is no problem, but it will not properly send your traffic back. You'd have to find a way e.g. with a second VPN to go to the other side through the same tunnel and set up a special gateway route on your origin VLAN to your inner VPN tunnel end, the inner tunnel will terminate in the US location, where the default route is set to go back through the outer tunnel, where the default route will then do what you want. ;)

Title: Re: VLAN <--> VPN traffic
Post by: Joerg on June 10, 2016, 09:36:32 pm

first thanks. I think my explanation was a bit unclear.  :o  My use case is that I'm using two VLANS here. One VLAN is used for local I-Net traffic. Most of my clients using in that NW. The other VLAN is only for the US I-Net. The US VLAN should be isolated like a guest network. Actually I managed to isolate it via an access rule connecting to the other VLANs. As soon I will ping my local WAN address it gets a direct reply from OPNsense. Is there a way to block this?
The goal is that all the traffic in the US VLAN should go the VPN and has no connection somewhere else.

I hope it makes it a bit clearer. :P