OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: jonakarl on March 23, 2017, 04:23:34 pm
-
Hi,
I have multiple VLAN/subnets (one subnet per vlan), only certified personel should have access to the mgmt subnets.
I have a problem with cso where I get no traffic through the firewall to my internal lan when using a different tunnel network from the one I specify on the server page. I had this working in pfsense but I cannot get it working in opnsense.
Current setup:
I have two openvpn servers, one for admins and one for clients, "user" tunnel network is 10.0.8.0/24 and admin uses 10.0.10.0/24.
I block all outgoing traffic to the admin lans from 10.0.8.0/24 on the openvpn interface.
This works but is cumbersome.
What I would like to have:
1 openvpn server and use cso to put the admin personal on a different tunnel network (ie 10.0.10.0/24) so I can filter this in the firewall later.
The cso works to the extent that when I connect with a user that matches the cso, I get 10.0.10.1 as gateway (strangely also a route to 10.0.8.5). However I cannot ping any ip on the other side of the tunnel (10.0.10.2, my side of the tunnel works).
Any clues on where to start debugging would be helpful since I cannot see anything in the logs.
-
I suspect you are missing an outbound NAT rule for the admin network source, you may need to manually add it.
-
I suspect you are missing an outbound NAT rule for the admin network source, you may need to manually add it.
I thought so to, however I have added a second openvpn server that uses the exact same subnet range and that added a outbound nat on my WAN interface (that works). So in theory the nat rules should already be in place (by the second vpn server).
Sorry for the noob questions but I do not fully understand what opnsense does when I run the openvpn wizard. I suspects it adds a "hidden"/virtual interface and add some firewall/nat rules but since I do not know the exact procedure it is very difficult for me to debug this.