OPNsense Forum

English Forums => Virtual private networks => Topic started by: gougere89 on January 23, 2023, 09:32:41 pm

Title: Issue when trying to forward an internet server's IP address to an intranet IP
Post by: gougere89 on January 23, 2023, 09:32:41 pm

Hello,

I and my friend are running into an issue setting up a tunnel to redirect traffic from an OVH server to a Proxmox VM behind an OPNSense firewall.

Here is what we're trying to do:
1) The OVH server has 2 IP addresses. We want its additional IP to forward the traffic to a VM on a Proxmox server behind an OPNSense Firewall.
2) We used different setups, with either GRE and WireGuard, either set up on the OPNsense or the VM directly, but we're facing different issues.

For each protocol, we tried this configuration :

- 10.0.0.1 => OPNsense OR the VM directly
- 10.0.0.2 => The OVH server.
- 10.20.0.5 => The VM's IP address, in a LAN managed by OpnSense.

In the past I did set up different configurations of the same type, but I didn't use OPNsense at the time. For the GRE example, I used this article (http://"https://wiki.buyvm.net/doku.php/gre_tunnel") as a base, where the "unfiltered IP" is my OVH server's main address and "filtered IP" the secondary address (used to forward the packets to the VM).

When setting up the GRE tunnel on OPNsense :
- 10.0.0.2 was able to ping 10.0.0.1
- but 10.0.0.1 (nor the VM) wasn't able to ping 10.0.0.2

So we tried setting up a Wireguard tunnel instead.
The ping worked, but we couldn't manage to find how to:
a) forward packets received by 10.0.0.1 to 10.20.0.5
b) forward packets received by the server's secondary IP to 10.0.0.1 (it's a Linux server, so I tried the iptables approach given by the article linked above, but I get a timeout when trying to connect to the app hosted on the VM via the OVH server's secondary IP address)

We ended up trying setting up Wireguard on the VM directly (so the VM gets the 10.0.0.1 IP inside the tunnel) , but we also face the issue "b": we aren't able to redirect the traffic from the server to the VM. We're wondering if there's a rule (other than authorizing port udp/51820 for Wireguard) to configure in the OPNsense firewall.

My friend made a network graph:
(https://calckey-villisek.ams3.cdn.digitaloceanspaces.com/calckey-villisek/calckey/c3f9ddda-4d97-4198-ba91-275c1d1b5a50.png)

The "debian" server is the OVH server, while the OPNSense and Proxmox ones are self-hosted.

Thank you by advance for your help, we can provide any necesary information.