OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: oddjarle on February 16, 2017, 08:02:06 pm

Title: 17.1.1 IPsec blocks traffic no matter what
Post by: oddjarle on February 16, 2017, 08:02:06 pm

Hi
I've tried a bunch of tips found here on the forum to try and solve my issue.
Using 16.7 I had no problems, like many others here. VPN worked great.
Since then I've run the upgrade to 17.1 via CLI and then 17.1.1 and all package updates via the GUI.
No changes were made to rules or settings after upgrading.

I can see in my OPNsense logs that traffic via VPN is being blocked.

Action : Block
Time : Feb 16 19:45:11
If : IPsec    
Source : 172.16.31.1:60049    
Destination: 172.16.1.12:8000
Protocol : TCP:S

My VPN-clients gets IPs in 172.16.31.0 /24.
I am trying to reach my LAN at 172.16.1.0 /24, specifically 172.16.1.12 at port 8000 (web service).

Under the IPsec interface I had a rule that allowed 172.16.31.0 /24 to reach 172.16.1.0 /24 at any port and protocols. Since 17.1.1 it didn't work I simplified it to "any" to 172.16.1.0 /24 to see if that helped - nope.

I then added a Floating rule as well from "IPsec net" to "172.16.1.0 /24" any protocols - still no go (of course reconneced VPN in case that was needed for the rule to take effect).

I tried a few sysctl tunables:

root@fw:~ # sysctl net.pf.share_forward=0
net.pf.share_forward: 1 -> 0
root@fw:~ # sysctl net.inet.ipsec.filtertunnel=1
net.inet.ipsec.filtertunnel: 1 -> 1

None helped.

I've also disabled blocking "private" and "bogons" network on my WAN interface - did not help either.

I'm trying to see which pf rule that triggers the blocking, but I haven't found any option in the GUI log viewer to help me pin-point which rule blocks the traffic.

Is this un-solvable at the moment? Any tips is greatly appreciated.

What I plan to test is to remove all IPsec and Floating rules. Reboot the firewall, and add them again. However I can't do that right now so perhaps during the weekend. Do you think that could help ?

Thanks for reading and I hope someone can provide a fix.

Title: Re: 17.1.1 IPsec blocks traffic no matter what
Post by: Andreas on February 17, 2017, 10:37:08 am

Pls read

https://forum.opnsense.org/index.php?topic=4513
https://forum.opnsense.org/index.php?topic=4313