OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: opnsense@f2f10.com on June 03, 2017, 09:41:25 pm
-
Hi Team,
New to use opnSense, which is great! However, I have been using openWRT for more than 10 years and one thing that make me feel difficult for a compete switch over, is that as described below.
In Linux (openWRT), I can leverage policy routing with IPROUTE2 with different routing tables. I can use that to make my VPN Providers connection as default for all 0.0.0.0/1 and 128.0.0.0/1, while I can still make incoming SSH/SMTP etc on my real WAN to get reply packet to WAN, not through VPN Provider. I can also make one of my internal DMZ subnet's outgoing traffic going real WAN, not VPN provider.
I researched a bit on opnSENSE and pfSENSE , it seems not clear to me how to do this. Further research about freeBSD, it says it's possible with "recompile kernel" with multiroutetable=2, etc.
I was wondering whether you guys can provide some leads on this .If it can be done in next release, that's great to know as well.
thanks
-
Would this meet you requirements? https://docs.opnsense.org/manual/how-tos/quagga.html
Bart...
-
Thanks for the quick reply!
However, it seems a dynamic routing process. I just need a few lines of code to let my SSH to my WAN and have SSH packet back out via WAN, not VPN default. Same for other DMZ network...
With linux, it has that multiple routing table thing and it's quite easy to route traffic based on which interface the traffic is coming from or based on source subnet the traffic is coming from. So, you can use alternate routing table, instead of default routing table, to route some traffic out to other interface. some thing like the links below.
http://www.microhowto.info/howto/ensure_symmetric_routing_on_a_server_with_multiple_default_gateways.html
https://unix.stackexchange.com/questions/4420/reply-on-same-interface-as-incoming
https://wiki.openwrt.org/doc/networking/routing
https://prosauce.org/blog/2010/12/22/route-based-on-source-ip-address-linux-bsd.html
https://prosauce.org/blog/2010/12/22/route-based-on-source-ip-address-linux-bsd.html
http://wiki.stocksy.co.uk/wiki/Multiple_default_routes_in_FreeBSD_without_BGP_or_similar
https://lists.freebsd.org/pipermail/freebsd-arch/2007-December/007331.html
https://www.mmacleod.ca/2011/06/source-based-routing-with-freebsd-using-multiple-routing-table/
-
Here's a few lines in one my script to do this on openWRT....... bypassing default VPN provider default routes for certain outgoing traffic and return traffic from defined interface or ip...
source /etc/profile
##sip server and gw
ip rule add to xxxxx/32 priority 53 table teksvy
ip rule add to xxxxx2/32 priority 54 table teksvy
ip rule add to xxxxx/32 priority 55 table teksvy
# ip rule add oif eth1 table teksvy
# ip rule add oif pppoe-wan table teksvy
ip rule add from xxxxxx/32 priority 59 table teksvy (**this is my static or dynamic dns resolved ISP WAN IP)
ip rule add from 192.168.140.0/24 priority 100 table teksvy (**this is my DMZ traffic)
ip rule add from 192.168.140.0/24 to 192.168.0.0/16 priority 90 table main
ip route add default via $TKGW table teksvy (** this is adding a default gw to alternate route table)
ip route flush cache
-
You can use firewall rules to mostly accomplish this, setting a gateway on the rule.
-
Would this meet you requirements? https://docs.opnsense.org/manual/how-tos/quagga.html
Bart...
FYI (off topic): The docs are not up to date here as there is a plugin for dynamic routing (os-quagga) so it is easier to work with that. It is off topic because it has no relevance for the original post here (as it is a question about policy based routing).
Solution: Add gateways (system -> gateways) and choose them in the firewall rules (may be an advanced option)
-
HI Guys,
I since have an openWRT facing my ISP and have opnSesense behind openWRT, so I just tested from my other subnet to this DMZ net which hosts opnSense WAN. It seemed working with Firewall Rules with appropriate gateways..
I will try it with opnSense facing ISP later some time to make sure that I can then, replace openWRT.
So, on my opnSense, I will have VPN Provider injected routes, 0.0.0.0/1 and 128.0.0.0/1 with VPN ISP GW, as well as default route 0.0.0.0/0 with real ISP GW. My end goal is that, when incoming traffic to WAN IP, say SSH, SMTP, etc, the return traffic (whether it's on opnSENSE itself or a natted box behind opnSense in a DMZ subnet) will go back to WAN (not VPN). The DMZ subnet initiated traffic going out (for VOIP provider traffic, for example), will go through WAN (not VPN).
Just out of curiosity, I issued the following on the box.
root@OPNsense:~ # sysctl net.fibs
net.fibs: 1
I verified the above (https://forum.ivorde.com/freebsd-multiple-routing-tables-t15241.html) based on this link; however, it seems that we don't have multiple route tables enabled.
How come it seemed working even without multiple route tables? I thought that need to have that enabled?!
Are we going to have "multiple routes enabled" soon? It seems that this is a feature that Firewall definitely needs. It may , or may not be relevant to what I tried to achieve. However, this feature is the one Linux uses.
thanks a lot!
-
I suspect that multiple routing tables will never be added unless it goes into the stock FreeBSD kernel, as they are generally not needed because policy based routing can be done with firewall rules.