OPNsense Forum

English Forums => General Discussion => Topic started by: tonnoplast on February 25, 2018, 03:25:54 pm

Title: Selecting the preferred source IP address
Post by: tonnoplast on February 25, 2018, 03:25:54 pm

My ISP's DHCP assigns me a private, dynamic IP address (10.151.105.106/26), and in this subnet I have my default gateway (10.151.105.65). Then I have a static, public IP address assigned, let's say 2.234.35.29/32. I can't connect to the Internet using my private ip address (get an ISP redirection to an error page), but if my outgoing packets have the src address set to 2.234.35.29, the gateway accepts them and everything works. I set 2.234.35.29 as "Alias IPv4 address" for the Ethernet interface, so the situation is:

Code: [Select]

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO>
        ether d0:d4:12:xx:xx:xx
        hwaddr 00:00:24:xx:xx:xx
        inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0 prefixlen 64 scopeid 0x1
        inet 10.151.105.106 netmask 0xffffffc0 broadcast 10.151.105.127     # dhcp assigned
        inet 2.234.35.29 netmask 0xffffffff broadcast 2.234.35.29           # alias
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

The point is, OPNsense (FreeBSD) chooses 10.151.105.106 as source address for the locally generated outgoing packets, as this is address is in the same subnet of the default gateway, I guess. I want it to set it to generate packets with src=2.234.35.29 by default. This seems to be easily doable in Linux [1] (route ... src ...), but I can't find an equivalent in OPNsense's interface, and apparently the src option is not available in FreeBSD's route command.

I dug deep into the FreeBSD forum, and other people asked similar questions in the past. They were pointed towards policy based routing or to setfib. I read about policy based routing, but it seems to me that it is helpful in setting for example the next hop of a package (ipfw add fwd ..., that is source based routing), but I couldn't find a way to change the default source address. On the other side, setfib seems conceived to set routing tables per-process, not system wide.

Again: I don't want to do source based routing, but somehow the contrary: route based source selection.

Changing the src address with a rule under Firewall→NAT→Outbound does the job, but I don't think it's the best thing to do.
I would like the packets to be generated with the correct address in the first place.

What could I try?

I'm running OPNsense 18.1.2.

Thank you.

[1] https://manpages.debian.org/stretch/iproute2/ip-route.8.en.html (https://manpages.debian.org/stretch/iproute2/ip-route.8.en.html)

Title: Re: Selecting the preferred source IP address
Post by: bartjsmit on February 26, 2018, 08:19:32 am

Your ISP seems to use CGN: https://en.wikipedia.org/wiki/Carrier-grade_NAT

This severely restricts your options; you cannot host any services such as web or VPN.

I would complain bitterly and/or move to a provider that is more tech-friendly.

Bart...

Title: Re: Selecting the preferred source IP address
Post by: tonnoplast on February 26, 2018, 10:41:01 am

That's exactly the case, but I asked for the additional public and static IPv4 address I mention. With that address I can host services and do whatever I want, and it works. I'd just like to generate outgoing packets with this IP as the source IP, without changing it afterwards with a NAT rule.