OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: woo on November 04, 2016, 10:48:14 am

Title: more confusion about VPN routing
Post by: woo on November 04, 2016, 10:48:14 am
Hi again,
I've stumbled upon some other confusing issue with my OPNsense-as-VPN-concentrator project...
for some reason, there seems to have been a change in routing behaviour recently that I can't find the reason for.
When I started with the setup, I saw all connections from dialled-in users as coming from their virtual IP addresses (configured via ifconfig-push in the CSCs), and I set up the firewall rules accordingly (users' VPN IP allow RDP to their workstation IP). For some reason, recently I only see connections in the log seeming to originate from the OPNsense LAN IP, even though they clearly are initiated by VPN-connected users.
I don't recall changing anything to the setup except adding more users..
Can anyone provide a hint on what could cause this behaviour? It kinda messes up my whole security concept..
Title: Re: more confusion about VPN routing
Post by: bartjsmit on November 04, 2016, 06:16:00 pm
If a VPN user has a source IP from the firewall, then the firewall is applying NAT

Bart...
Title: Re: more confusion about VPN routing
Post by: woo on November 07, 2016, 09:45:16 am
I was just going to post "But I didn't create any NAT rules recently!" - but then I went to double-check.. and it seems that OPNsense auto-created a set of NAT rules when I set up an IPSEC Mobile service last week to test something, and did not remove them when I deleted that IPSEC service again.
Even weirder - I can't seem to get rid of those rules without switching to full-manual mode, which I would actually like to avoid.
The rules don't even make sense to me.. "Auto created rule for ISAKMP - OpenVPN server -> LAN" - when did OpenVPN start to use ISAKMP?!
There's something going wrong here with the automatic rule creation...