OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: FCM on April 03, 2018, 05:15:23 pm
-
Hello :)
1. The situation :
I am trying to have a VPN between our main site and a distant site
The main site use a Stormshield as firewall, the distant use an OPNSense firewall.
Nomad people can reach our main site when connecting to the stormshield with the netasq/stormshield tool
The OPNsense connect to the Stormshield, I can ping computers in the main site network but only with their IP, I can't resolve internal names.
The client computers connected to the OPNsense (using the OPNSense as DHCP and gateway) can't see the main site IP nor named servers.
2. The networks
Main site use 192.168.20.0/23 as main address
Distant site is on 192.168.69.0/24
The tunnel is on 192.168.165.0/24
3. OPNSense settings :
I used the wiki topic on VPN site to Site : https://wiki.opnsense.org/manual/how-tos/sslvpn_s2s.html
And managed to connect both site (vpn connection picture below)
I put the DNS from my main site on the OPNSense, but even if they are interrogated they don't answer about their network (DNS & DNS2 pictures)
I activated the VPN interface (interfaces picture) and the DNSmasq DNS (on all)
4. So What I missed ?
I suppose that firewall and NAT rules has to be made ? but how ? the wiki speak about creating the link but not how letting other computers used it...
For the DNS it is perhaps an option on the DNS or on what interface to put the DNS on, but I don't see how to do that...
I think that my networks are standard so the problem has to be simple to correct but I don't have the knowledge to resolve it.
Thanks in advance.
-
I have a similar setup and use two domain overriding entries in Outbound DNS:
1. Domain: remotesite.domain.local --- IP (of the DNS server for that domain): 192.168.2.1
2. Domain: 2.168.192.in-addr.arpa --- IP: 192.168.2.1
The first is for forward resolution (FQDN to IP) and the 2nd is for reverse resolution (IP to FQDN). It only works for FQDN, so only for "ping host1.remotesite.domain.local" and not for "ping host1"
VERY IMPORTANT: if you use Outbound, it is mandatory to allow (create an entry) in the ACL/ Access List for the remotesite subnet in Outbound.
Hope it helps!
-
thanks for the answer, but i put 2 opensense for the vpn tunnel with unbound and it works this way... the stormshield stay for roadwarriors until I do the road warriors tunnel on the opnsense :)