1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
18.7 Legacy Series / Re: IPv6 routing via OpenVPN won't work
« on: July 04, 2018, 05:04:20 pm »
Any idea ?
Should I move this thread or create an issue on Github ?
Thanks,
Quentin
Should I move this thread or create an issue on Github ?
Thanks,
Quentin
3
18.7 Legacy Series / IPv6 routing via OpenVPN won't work
« on: June 24, 2018, 06:28:19 pm »
Hello,
I am working in the configuration of some router using OPNsense.
Here is the desired behavior:
- Two internal VLANs: one "direct" and the other "secure".
- Two "WANs": the main one: on the internet (IPv4 & IPv6) and the other is a OpenVPN client (to AirVPN).
I want to redirect the "direct" lan to the main WAN, and the "secure" lan to the VPN client.
Here are the issue:
I cannot make this to work in IPv6.
Let me explain:
- IPv6 works perfectly for the "direct" lan, the clients are on a /64 public subnet and the routing is working fine.
- IPv4 works perfectly on both LANs, using NAT with a /24 subnet for the "direct" lan, and redirect gateway to OpenVPN for the "secure" lan.
But:
- IPv6 never gets out when coming from the "secure" lan to the vpn.
Here is what I have found while digging into the issue:
- The VPN client works correctly both in IPv4 and IPv6.
- I can make this configuration work by manually setting IPv6 addresses on the VPN interface (using xxxx:xxxx::1 for the gateway, and the VPN assigned IP for the interface IP).
- It seems that, on VPN connect, the IPv6 settings are not assigned to the interface (like it's done for IPv4).
Am I right ?
Thanks a lot,
Quentin
I am working in the configuration of some router using OPNsense.
Here is the desired behavior:
- Two internal VLANs: one "direct" and the other "secure".
- Two "WANs": the main one: on the internet (IPv4 & IPv6) and the other is a OpenVPN client (to AirVPN).
I want to redirect the "direct" lan to the main WAN, and the "secure" lan to the VPN client.
Here are the issue:
I cannot make this to work in IPv6.
Let me explain:
- IPv6 works perfectly for the "direct" lan, the clients are on a /64 public subnet and the routing is working fine.
- IPv4 works perfectly on both LANs, using NAT with a /24 subnet for the "direct" lan, and redirect gateway to OpenVPN for the "secure" lan.
But:
- IPv6 never gets out when coming from the "secure" lan to the vpn.
Here is what I have found while digging into the issue:
- The VPN client works correctly both in IPv4 and IPv6.
- I can make this configuration work by manually setting IPv6 addresses on the VPN interface (using xxxx:xxxx::1 for the gateway, and the VPN assigned IP for the interface IP).
- It seems that, on VPN connect, the IPv6 settings are not assigned to the interface (like it's done for IPv4).
Am I right ?
Thanks a lot,
Quentin
4
18.1 Legacy Series / 1.8.6 / 1.8.7 - LAN IPv6 not working (wrong gateway / mac address ?)
« on: May 11, 2018, 12:12:01 am »
Hello,
I'm using an OPNsense box at home, to provide me two VLAN from my LAN (guests and sandbox VLANs).
I only use one Ethernet interface, where untagged traffic is LAN and two VLANs are defined. Traffic is managed by a Netgear switch. The LAN router is NOT the OPNsense box, but the main home router, on the LAN network.
Everything works correctly in IPv4. LAN computers can reach the OPNsense box correctly. Guests users and Sandbox users access the internet using OPNsense (with the LAN IP as the output IP - NAT on the LAN interface).
I currently have a very strange behavior in IPv6.
I have made a /64 delegation for sandboxed clients. It's working fine. No IPv6 for guests clients.
But I'm not able to reach the OPNsense from the LAN... I can reach it from the WAN, but it seemb that the ICMP response for the LAN client is sent to the WAN gateway...
Here is a simple tcpdump capture:
Here is how I understand it:
- The LAN client sends the ping request
- The OPNsense box sends the reply to the wrong MAC address (the LAN gateway one), but the correct IP address.
- The LAN router sends a IPv6 redirect to the OPNsense
--> Nothing comes back to the LAN client...
I'm thinking about something wrong in the routing table, but a ping from the OPNsense to the LAN client works...
I'm looking for some ideas about how to diagnose the issue...
Thanks,
Quentin
I'm using an OPNsense box at home, to provide me two VLAN from my LAN (guests and sandbox VLANs).
I only use one Ethernet interface, where untagged traffic is LAN and two VLANs are defined. Traffic is managed by a Netgear switch. The LAN router is NOT the OPNsense box, but the main home router, on the LAN network.
Everything works correctly in IPv4. LAN computers can reach the OPNsense box correctly. Guests users and Sandbox users access the internet using OPNsense (with the LAN IP as the output IP - NAT on the LAN interface).
I currently have a very strange behavior in IPv6.
I have made a /64 delegation for sandboxed clients. It's working fine. No IPv6 for guests clients.
But I'm not able to reach the OPNsense from the LAN... I can reach it from the WAN, but it seemb that the ICMP response for the LAN client is sent to the WAN gateway...
Here is a simple tcpdump capture:
Code: [Select]
01:15:51.616287 xx:xx:xx:xx:xx:89 (oui Unknown) > xx:xx:xx:xx:xx:cb (oui Unknown), ethertype IPv6 (0x86dd), length 94: xx::xx:ad47 > opnsense.xx: ICMP6, echo request, seq 460, length 40
01:15:51.616340 xx:xx:xx:xx:xx:cb (oui Unknown) > xx:xx:xx:xx:xx:3c (oui Unknown), ethertype IPv6 (0x86dd), length 94: opnsense.xx > xx::xx:ad47 ICMP6, echo reply, seq 460, length 40
01:15:51.616547 xx:xx:xx:xx:xx:3c (oui Unknown) > xx:xx:xx:xx:xx:cb (oui Unknown), ethertype IPv6 (0x86dd), length 190: fe80::xx:c3c > opnsense.xx: ICMP6, redirect, xx::xx:ad47 to xx::xx:ad47, length 136Here is how I understand it:
- The LAN client sends the ping request
- The OPNsense box sends the reply to the wrong MAC address (the LAN gateway one), but the correct IP address.
- The LAN router sends a IPv6 redirect to the OPNsense
--> Nothing comes back to the LAN client...
I'm thinking about something wrong in the routing table, but a ping from the OPNsense to the LAN client works...
I'm looking for some ideas about how to diagnose the issue...
Thanks,
Quentin
5
17.7 Legacy Series / Re: Huge headache trying to configure NAT and Multi-WAN...
« on: October 29, 2017, 07:35:17 pm »
Hello,
I'm upping this post as I still have the issue, and I can't figure out how to solve it...
I'll try to explain what I'm trying to do:
Here is my network
+------------------+
+----VLAN 1--------+Server on main lan|
| +------------------+
|
+-------+ +----------+--------+
| WWW +-----+ OPNsense router |
+--+----+ +----------+--------+
| |
| | +-----------------+
+-------------+--+ +----VLAN 2--------+Server behind VPN|
| VPN Provider | +-----------------+
+----------------+
My router is running an OpenVPN client to some VPN provider on the internet. I have locally two VLANs, one with direct access to the internet, and the other one (VLAN 2) that access the Internet via the VPN client.
Now, what is working:
VLAN 1 server can access the internet without any issue. Port forwarding from the internet interface to VLAN 1 server works well too.
VLAN 2 server can access the internet without any issue. All VLAN 2 traffic is sent on the VPN connection to the VPN provider, using a "specific gateway" rule. So the server on VLAN 2 have the VPN provider's outside IP. But, the VPN provider gives me one forwarded port (from it's outside IP address to the VPN client address). I want to forward this port to the server behind VPN.
I'm using output NAT on both the internet interface and the VPN client interface.
What is NOT working:
When doing a port forwarding check, I can't connect to the server behind VPN from the internet.
What are showing the tcpdumps:
- TCP connection comes to the VPN client interface.
- It is forwarded to the server behind VPN
- The server answers to the request
- The answer is routed to the VPN client interface. BUT at this moment, the output NAT is not applied. I mean that I can see the "local server IP > remote host" sent on the ovpnc1 interface.
- The answer never reaches the remote host.
Note:
When making an HTTP test from the server behind VPN, the output NAT is working, and the request succeeds. The problem only occurs when answering to a forwarded request.
I hope that someone here will have an idea to help me find the issue...
Thanks,
Quentin
I'm upping this post as I still have the issue, and I can't figure out how to solve it...
I'll try to explain what I'm trying to do:
Here is my network
+------------------+
+----VLAN 1--------+Server on main lan|
| +------------------+
|
+-------+ +----------+--------+
| WWW +-----+ OPNsense router |
+--+----+ +----------+--------+
| |
| | +-----------------+
+-------------+--+ +----VLAN 2--------+Server behind VPN|
| VPN Provider | +-----------------+
+----------------+
My router is running an OpenVPN client to some VPN provider on the internet. I have locally two VLANs, one with direct access to the internet, and the other one (VLAN 2) that access the Internet via the VPN client.
Now, what is working:
VLAN 1 server can access the internet without any issue. Port forwarding from the internet interface to VLAN 1 server works well too.
VLAN 2 server can access the internet without any issue. All VLAN 2 traffic is sent on the VPN connection to the VPN provider, using a "specific gateway" rule. So the server on VLAN 2 have the VPN provider's outside IP. But, the VPN provider gives me one forwarded port (from it's outside IP address to the VPN client address). I want to forward this port to the server behind VPN.
I'm using output NAT on both the internet interface and the VPN client interface.
What is NOT working:
When doing a port forwarding check, I can't connect to the server behind VPN from the internet.
What are showing the tcpdumps:
- TCP connection comes to the VPN client interface.
- It is forwarded to the server behind VPN
- The server answers to the request
- The answer is routed to the VPN client interface. BUT at this moment, the output NAT is not applied. I mean that I can see the "local server IP > remote host" sent on the ovpnc1 interface.
- The answer never reaches the remote host.
Note:
When making an HTTP test from the server behind VPN, the output NAT is working, and the request succeeds. The problem only occurs when answering to a forwarded request.
I hope that someone here will have an idea to help me find the issue...
Thanks,
Quentin
6
17.7 Legacy Series / Re: Huge headache trying to configure NAT and Multi-WAN...
« on: August 18, 2017, 11:06:10 pm »
Well, the basic fact (excluding this port-forwarding detail) is that I want to have a local subnet of clients accessing internet through one OpenVPN connection of my router. I don't want my clients to have to deal with OpenVPN. it must be transparent for them.
The great thing is that this is working very well !
I can instantly switch from "normal direct internet" to "vpn routed internet" just by switching of vlan !
Now, my VPN provider (PIA VPN, an online VPN provider), gives me one forwarded port. This port is redirected from the outside IP of their servers to my client, here my router.
I'm just trying to redirect that port to one of the machines on the Vlan configured for VPN routed internet...
The great thing is that this is working very well !
I can instantly switch from "normal direct internet" to "vpn routed internet" just by switching of vlan !
Now, my VPN provider (PIA VPN, an online VPN provider), gives me one forwarded port. This port is redirected from the outside IP of their servers to my client, here my router.
I'm just trying to redirect that port to one of the machines on the Vlan configured for VPN routed internet...
7
17.7 Legacy Series / Re: Huge headache trying to configure NAT and Multi-WAN...
« on: August 18, 2017, 10:04:29 pm »
Okay, sorry if I wasn't very clear in my messages 
My VPN provider is PIA VPN, so the servers are on the Internet. Here, 12345 is an example port. They are providing me an API to get the forwarded port (that may change). Right now my forwarded port is 39856.
To explain what I'm calling the VPN hosts:
I'm using several VLANs, one DMZ for my servers, one LAN for my computers, and one for the "VPN" computers, that should go on the internet using the VPN connection.
All my VLANs are on the 10.14.0.0/16 subnet.
The 10.14.20.0/24 is the VPN Vlan subnet, with the router on .1 and my "port-forwarded listener being on .2".
I hope that I've been clear enough :S
Thanks,
Quentin
My VPN provider is PIA VPN, so the servers are on the Internet. Here, 12345 is an example port. They are providing me an API to get the forwarded port (that may change). Right now my forwarded port is 39856.
To explain what I'm calling the VPN hosts:
I'm using several VLANs, one DMZ for my servers, one LAN for my computers, and one for the "VPN" computers, that should go on the internet using the VPN connection.
All my VLANs are on the 10.14.0.0/16 subnet.
The 10.14.20.0/24 is the VPN Vlan subnet, with the router on .1 and my "port-forwarded listener being on .2".
I hope that I've been clear enough :S
Thanks,
Quentin
8
17.7 Legacy Series / Re: Huge headache trying to configure NAT and Multi-WAN...
« on: August 18, 2017, 08:22:43 pm »
Not at all.
My VPN provider gave me this port as the "forwarded port".
The hosts 10.14.20.2 is the server on my LAN (with the router as default gateway: 10.14.20.1) and 10.10.10.1 is the openvpn sent gateway.
For now, all I can say is that the port forwarding on the VPN side is working (I can see incoming TCP connections), and the route-to rule is working too (the host on the LAN have the VPN outside IP address on the Internet).
My VPN provider gave me this port as the "forwarded port".
The hosts 10.14.20.2 is the server on my LAN (with the router as default gateway: 10.14.20.1) and 10.10.10.1 is the openvpn sent gateway.
For now, all I can say is that the port forwarding on the VPN side is working (I can see incoming TCP connections), and the route-to rule is working too (the host on the LAN have the VPN outside IP address on the Internet).
9
17.7 Legacy Series / Re: Huge headache trying to configure NAT and Multi-WAN...
« on: August 18, 2017, 08:10:56 pm »
Hello !
Thanks four your answers.
I've started to make some more tcpdumps to analyse the with Wireshark.
One strange thing that I can see in the rules file, here is the "pass" rule for my port forwarding:
pass in quick on ovpnc1 reply-to ( ovpnc1 10.10.10.1 ) inet proto {tcp udp} from {any} to {10.14.20.2} port 12345 label "USER_RULE: NAT "
This is the only rule that doesn't have the "keep state" flag. Can't this be my problem ?
Thanks !
Thanks four your answers.
I've started to make some more tcpdumps to analyse the with Wireshark.
One strange thing that I can see in the rules file, here is the "pass" rule for my port forwarding:
pass in quick on ovpnc1 reply-to ( ovpnc1 10.10.10.1 ) inet proto {tcp udp} from {any} to {10.14.20.2} port 12345 label "USER_RULE: NAT "
This is the only rule that doesn't have the "keep state" flag. Can't this be my problem ?
Thanks !
10
17.7 Legacy Series / Re: Huge headache trying to configure NAT and Multi-WAN...
« on: August 17, 2017, 11:26:25 pm »
Hello,
Still the same problem for me...
I think that it could be a problem with the "Reply-to" flag...
How can I view these flags using some tcpdumps ?
Thanks a lot !
Quentin
Still the same problem for me...
I think that it could be a problem with the "Reply-to" flag...
How can I view these flags using some tcpdumps ?
Thanks a lot !
Quentin
11
General Discussion / Re: Captive Portal Restart After Hardware Reboot
« on: August 16, 2017, 06:16:42 pm »
Works perfectly for me thanks !
12
17.7 Legacy Series / Huge headache trying to configure NAT and Multi-WAN...
« on: August 16, 2017, 06:01:10 pm »
Hello,
I'm trying to configure some port-forwarding on my router without any success...
Here is my situation:
A simple configuration: 1 Wan, 1 Lan to start with
On top of this, I have one VPN client and one VLAN (over the LAN port) for VPN users.
What I've succeeded to do:
- LAN users use the default gateway
- VPN Vlan users use the VPN gateway
What I cannot succeed to do:
I'm trying to forward some port from the VPN client to one of the VPN Vlan computers. But I'm not able to establish any connection through this port forwarding.
When analyzing TCP dumps, I can see that incoming packets from the VPN client are well forwarded to the Vlan client, but outgoing packets from the Vlan client are going out from the Wan interface !
I can't figure out why this happens, the only rule for Vlan users is the "use-gateway" rule, and it's not respected...
Do you have any ideas of where I can look at ?
Thanks a lot,
Quentin
I'm trying to configure some port-forwarding on my router without any success...
Here is my situation:
A simple configuration: 1 Wan, 1 Lan to start with
On top of this, I have one VPN client and one VLAN (over the LAN port) for VPN users.
What I've succeeded to do:
- LAN users use the default gateway
- VPN Vlan users use the VPN gateway
What I cannot succeed to do:
I'm trying to forward some port from the VPN client to one of the VPN Vlan computers. But I'm not able to establish any connection through this port forwarding.
When analyzing TCP dumps, I can see that incoming packets from the VPN client are well forwarded to the Vlan client, but outgoing packets from the Vlan client are going out from the Wan interface !
I can't figure out why this happens, the only rule for Vlan users is the "use-gateway" rule, and it's not respected...
Do you have any ideas of where I can look at ?
Thanks a lot,
Quentin
13
General Discussion / Re: Captive Portal Restart After Hardware Reboot
« on: August 14, 2017, 04:23:29 pm »
Hello,
After some investigation on this, it seems that the PID file (/var/run/lighttpd-api-dispatcher.pid) is not cleaned when power outage occurs.
This file breaks the startup script of the Captive Portal.
I think that a simple check should be enough for this (checking that the PID is still alive).
Thanks,
Quentin Canel
After some investigation on this, it seems that the PID file (/var/run/lighttpd-api-dispatcher.pid) is not cleaned when power outage occurs.
This file breaks the startup script of the Captive Portal.
I think that a simple check should be enough for this (checking that the PID is still alive).
Thanks,
Quentin Canel
14
General Discussion / Re: [SOLVED] SoftEther VPN: A replacement for openVPN?
« on: August 14, 2017, 02:22:26 am »
Hello !
I've heard about SoftEther, and tried to configure it on my router.
As a simple test, I'm trying to build a bridged VPN to my LAN.
I can connect to the VPN using either the SoftEther client or SSTP fine, and I'm able to reach machines on my LAN. But I've not been able to reach the router itself this way...
I'm suspecting an ARP problem as the client appears this way on the ARP table:
" at (incomplete) on re1 expired [ethernet] "
On the LAN machines, the VPN client has it's MAC address...
Is there some settings on OPNsense that may block this ?
Thanks !
Quentin Canel
I've heard about SoftEther, and tried to configure it on my router.
As a simple test, I'm trying to build a bridged VPN to my LAN.
I can connect to the VPN using either the SoftEther client or SSTP fine, and I'm able to reach machines on my LAN. But I've not been able to reach the router itself this way...
I'm suspecting an ARP problem as the client appears this way on the ARP table:
" at (incomplete) on re1 expired [ethernet] "
On the LAN machines, the VPN client has it's MAC address...
Is there some settings on OPNsense that may block this ?
Thanks !
Quentin Canel
15
General Discussion / Re: Captive Portal Restart After Hardware Reboot
« on: August 13, 2017, 09:32:23 pm »
Hello,
Just to say that I'm experiencing the same behavior on my own configuration. In my case it's running on a dedicated hardware.
Thanks,
Quentin
Just to say that I'm experiencing the same behavior on my own configuration. In my case it's running on a dedicated hardware.
Thanks,
Quentin
Pages: [1] 2