OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: bmt on April 14, 2023, 02:28:08 pm

Title: Traffic routing to incorrect interface
Post by: bmt on April 14, 2023, 02:28:08 pm

Right, so this is a weird one.

OPNsense 23.1.5_4-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

WAN: Dual, igb0 and igb1.
VPN: Zerotier, Wireguard
Firewall Alias: Telephony - contains all IP phones, voip-related services.

Firewall is configured to block inbound on the Telephony alias on Zerotier and Wireguard interfaces.

I've been struggling with the shaper / pipes etc to separate out voip and data. Configured the rule on the WAN (igb0) and LAN (igb3) interfaces to cover both upload and download. When checking the shaper status, the rules would never get hits on a rule to push UDP 5060 into the voip pipe. I ran the packet capture across all interfaces and found that all UDP 5060 was going through the Zerotier interface (pic attached - 192.168.10.9 is the voip server onsite).

Side note - the VoIP service is 3CX, which seems to be very chatty on all sorts of ports. But my main concern is the packet capture showing the traffic on the wrong port.

Any advice, or is there something I'm doing wrong?

Thanks in advance.

Title: Re: Traffic routing to incorrect interface
Post by: bigops on April 14, 2023, 03:01:22 pm

This issue seems to be similar to something which I had raised earlier here https://forum.opnsense.org/index.php?topic=31961.msg154479#msg154479 (https://forum.opnsense.org/index.php?topic=31961.msg154479#msg154479).  But there was no response or solution.  The workaround that I am working on is to reset the state table after the firewall has any reboots or upgrades and once the state table is reset the routing seems to work fine

Title: Re: Traffic routing to incorrect interface
Post by: bmt on April 14, 2023, 05:06:46 pm

Quote from: bigops on April 14, 2023, 03:01:22 pm

This issue seems to be similar to something which I had raised earlier here https://forum.opnsense.org/index.php?topic=31961.msg154479#msg154479 (https://forum.opnsense.org/index.php?topic=31961.msg154479#msg154479).  But there was no response or solution.  The workaround that I am working on is to reset the state table after the firewall has any reboots or upgrades and once the state table is reset the routing seems to work fine

Thanks I'll give this a try and see if it works

Title: Re: Traffic routing to incorrect interface
Post by: bmt on April 15, 2023, 08:00:13 am

Quote from: bmt on April 14, 2023, 05:06:46 pm

Quote from: bigops on April 14, 2023, 03:01:22 pm

This issue seems to be similar to something which I had raised earlier here https://forum.opnsense.org/index.php?topic=31961.msg154479#msg154479 (https://forum.opnsense.org/index.php?topic=31961.msg154479#msg154479).  But there was no response or solution.  The workaround that I am working on is to reset the state table after the firewall has any reboots or upgrades and once the state table is reset the routing seems to work fine

Thanks I'll give this a try and see if it works

This worked! I confirmed using packet capture, all traffic flowing to/from the correct interfaces now...thank you!