Messages

Thanks, here it is !
https://github.com/opnsense/core/issues/2522

Have a nice day !

Any idea ?

Should I move this thread or create an issue on Github ?

Thanks,

Quentin

Hello,

I am working in the configuration of some router using OPNsense.
Here is the desired behavior:
- Two internal VLANs: one "direct" and the other "secure".
- Two "WANs": the main one: on the internet (IPv4 & IPv6) and the other is a OpenVPN client (to AirVPN).

I want to redirect the "direct" lan to the main WAN, and the "secure" lan to the VPN client.

Here are the issue:
I cannot make this to work in IPv6.

Let me explain:
- IPv6 works perfectly for the "direct" lan, the clients are on a /64 public subnet and the routing is working fine.
- IPv4 works perfectly on both LANs, using NAT with a /24 subnet for the "direct" lan, and redirect gateway to OpenVPN for the "secure" lan.

But:
- IPv6 never gets out when coming from the "secure" lan to the vpn.

Here is what I have found while digging into the issue:
- The VPN client works correctly both in IPv4 and IPv6.
- I can make this configuration work by manually setting IPv6 addresses on the VPN interface (using xxxx:xxxx::1 for the gateway, and the VPN assigned IP for the interface IP).
- It seems that, on VPN connect, the IPv6 settings are not assigned to the interface (like it's done for IPv4).

Am I right ?

Thanks a lot,

Quentin

Hello,

I'm using an OPNsense box at home, to provide me two VLAN from my LAN (guests and sandbox VLANs).
I only use one Ethernet interface, where untagged traffic is LAN and two VLANs are defined. Traffic is managed by a Netgear switch. The LAN router is NOT the OPNsense box, but the main home router, on the LAN network.

Everything works correctly in IPv4. LAN computers can reach the OPNsense box correctly. Guests users and Sandbox users access the internet using OPNsense (with the LAN IP as the output IP - NAT on the LAN interface).

I currently have a very strange behavior in IPv6.
I have made a /64 delegation for sandboxed clients. It's working fine. No IPv6 for guests clients.
But I'm not able to reach the OPNsense from the LAN... I can reach it from the WAN, but it seemb that the ICMP response for the LAN client is sent to the WAN gateway...

Here is a simple tcpdump capture:

Code Select Expand

01:15:51.616287 xx:xx:xx:xx:xx:89 (oui Unknown) > xx:xx:xx:xx:xx:cb (oui Unknown), ethertype IPv6 (0x86dd), length 94: xx::xx:ad47 > opnsense.xx: ICMP6, echo request, seq 460, length 40
01:15:51.616340 xx:xx:xx:xx:xx:cb (oui Unknown) > xx:xx:xx:xx:xx:3c (oui Unknown), ethertype IPv6 (0x86dd), length 94: opnsense.xx > xx::xx:ad47 ICMP6, echo reply, seq 460, length 40
01:15:51.616547 xx:xx:xx:xx:xx:3c (oui Unknown) > xx:xx:xx:xx:xx:cb (oui Unknown), ethertype IPv6 (0x86dd), length 190: fe80::xx:c3c > opnsense.xx: ICMP6, redirect, xx::xx:ad47 to xx::xx:ad47, length 136

Here is how I understand it:
- The LAN client sends the ping request
- The OPNsense box sends the reply to the wrong MAC address (the LAN gateway one), but the correct IP address.
- The LAN router sends a IPv6 redirect to the OPNsense

--> Nothing comes back to the LAN client...

I'm thinking about something wrong in the routing table, but a ping from the OPNsense to the LAN client works...

I'm looking for some ideas about how to diagnose the issue...

Thanks,

Quentin

Hello,

I'm upping this post as I still have the issue, and I can't figure out how to solve it...

I'll try to explain what I'm trying to do:

Here is my network
                                                       +------------------+
                                    +----VLAN 1--------+Server on main lan|
                                    |                  +------------------+
                                    |
           +-------+     +----------+--------+
           |  WWW  +-----+  OPNsense router  |
           +--+----+     +----------+--------+
              |                     |
              |                     |                  +-----------------+
+-------------+--+                  +----VLAN 2--------+Server behind VPN|
|  VPN Provider  |                                     +-----------------+
+----------------+


My router is running an OpenVPN client to some VPN provider on the internet. I have locally two VLANs, one with direct access to the internet, and the other one (VLAN 2) that access the Internet via the VPN client.

Now, what is working:
VLAN 1 server can access the internet without any issue. Port forwarding from the internet interface to VLAN 1 server works well too.
VLAN 2 server can access the internet without any issue. All VLAN 2 traffic is sent on the VPN connection to the VPN provider, using a "specific gateway" rule. So the server on VLAN 2 have the VPN provider's outside IP. But, the VPN provider gives me one forwarded port (from it's outside IP address to the VPN client address). I want to forward this port to the server behind VPN.

I'm using output NAT on both the internet interface and the VPN client interface.

What is NOT working:
When doing a port forwarding check, I can't connect to the server behind VPN from the internet.
What are showing the tcpdumps:
- TCP connection comes to the VPN client interface.
- It is forwarded to the server behind VPN
- The server answers to the request
- The answer is routed to the VPN client interface. BUT at this moment, the output NAT is not applied. I mean that I can see the "local server IP > remote host" sent on the ovpnc1 interface.
- The answer never reaches the remote host.


Note:
When making an HTTP test from the server behind VPN, the output NAT is working, and the request succeeds. The problem only occurs when answering to a forwarded request.

I hope that someone here will have an idea to help me find the issue...

Thanks,

Quentin

Well, the basic fact (excluding this port-forwarding detail) is that I want to have a local subnet of clients accessing internet through one OpenVPN connection of my router. I don't want my clients to have to deal with OpenVPN. it must be transparent for them.

The great thing is that this is working very well !
I can instantly switch from "normal direct internet" to "vpn routed internet" just by switching of vlan !

Now, my VPN provider (PIA VPN, an online VPN provider), gives me one forwarded port. This port is redirected from the outside IP of their servers to my client, here my router.
I'm just trying to redirect that port to one of the machines on the Vlan configured for VPN routed internet...

Okay, sorry if I wasn't very clear in my messages :)

My VPN provider is PIA VPN, so the servers are on the Internet. Here, 12345 is an example port. They are providing me an API to get the forwarded port (that may change). Right now my forwarded port is 39856.

To explain what I'm calling the VPN hosts:
I'm using several VLANs, one DMZ for my servers, one LAN for my computers, and one for the "VPN" computers, that should go on the internet using the VPN connection.

All my VLANs are on the 10.14.0.0/16 subnet.
The 10.14.20.0/24 is the VPN Vlan subnet, with the router on .1 and my "port-forwarded listener being on .2".

I hope that I've been clear enough :S

Thanks,

Quentin

Not at all.

My VPN provider gave me this port as the "forwarded port".
The hosts 10.14.20.2 is the server on my LAN (with the router as default gateway: 10.14.20.1) and 10.10.10.1  is the openvpn sent gateway.

For now, all I can say is that the port forwarding on the VPN side is working (I can see incoming TCP connections), and the route-to rule is working too (the host on the LAN have the VPN outside IP address on the Internet).

Hello !

Thanks four your answers.
I've started to make some more tcpdumps to analyse the with Wireshark.

One strange thing that I can see in the rules file, here is the "pass" rule for my port forwarding:
pass in  quick on ovpnc1 reply-to ( ovpnc1 10.10.10.1 )  inet proto {tcp udp}  from {any} to {10.14.20.2}  port 12345 label "USER_RULE: NAT "

This is the only rule that doesn't have the "keep state" flag. Can't this be my problem ?

Thanks !

Hello,

Still the same problem for me...
I think that it could be a problem with the "Reply-to" flag...

How can I view these flags using some tcpdumps ?

Thanks a lot !

Quentin

Works perfectly for me thanks ! :)

Hello,

I'm trying to configure some port-forwarding on my router without any success...

Here is my situation:
A simple configuration: 1 Wan, 1 Lan to start with
On top of this, I have one VPN client and one VLAN (over the LAN port) for VPN users.

What I've succeeded to do:
- LAN users use the default gateway
- VPN Vlan users use the VPN gateway

What I cannot succeed to do:
I'm trying to forward some port from the VPN client to one of the VPN Vlan computers. But I'm not able to establish any connection through this port forwarding.

When analyzing TCP dumps, I can see that incoming packets from the VPN client are well forwarded to the Vlan client, but outgoing packets from the Vlan client are going out from the Wan interface !

I can't figure out why this happens, the only rule for Vlan users is the "use-gateway" rule, and it's not respected...

Do you have any ideas of where I can look at ?

Thanks a lot,

Quentin

Hello,

After some investigation on this, it seems that the PID file (/var/run/lighttpd-api-dispatcher.pid) is not cleaned when power outage occurs.
This file breaks the startup script of the Captive Portal.

I think that a simple check should be enough for this (checking that the PID is still alive).

Thanks,

Quentin Canel

Hello !

I've heard about SoftEther, and tried to configure it on my router.
As a simple test, I'm trying to build a bridged VPN to my LAN.

I can connect to the VPN using either the SoftEther client or SSTP fine, and I'm able to reach machines on my LAN. But I've not been able to reach the router itself this way...

I'm suspecting an ARP problem as the client appears this way on the ARP table:
"  at (incomplete) on re1 expired [ethernet] "

On the LAN machines, the VPN client has it's MAC address...

Is there some settings on OPNsense that may block this ?

Thanks !

Quentin Canel

Hello,

Just to say that I'm experiencing the same behavior on my own configuration. In my case it's running on a dedicated hardware.

Thanks,

Quentin