1
22.1 Legacy Series / OpenVPN uses wrong source IP for firewall originated packages on VPN
« on: June 12, 2022, 08:30:21 pm »
Dear folks,
We have ran into a small issue with a new 22.1 installation regarding theLAN interface.
We have the following configuration
- The LAN interface is on igb0_vlan2
- LAN has an assigned IP address (say 192.168.1.1)
- Filtering is happening only on LAN interface
- Firewall "Shared forwarding" is enabled
Disabling makes no difference
- OpenVPN client connection is used
- Static route for OpenVPN is added to Routes
The problem is that the OPNsense device itself is unable to send any packages via VPN, including ICMP, because the incorrect source IP is used (0.0.0.0) instead of the LAN or OpenVPN IP.
- Client connections from LAN to OpenVPN work
- Connections from remote OpenVPN network to LAN work
- Connections from remote OpenVPN network to LAN interface IP work
> Connections from local device to OpenVPN connection fail
Here, the remote VPN gateway sees a source IP of 0.0.0.0 for the package, hence the connection fails
Specififying the source IP manually works well
ping -S 192.168.1.1 <destination>
Now, this seems to be specific to the bridging configuration as we have multiple setups (albeit older OPNSense versions) running well in this setup, but they don't have a bridged LAN interface.
What settings are we missing to make this work? Maybe interface metric somewhere?
This is required for scheduled backups for us for example.
Any pointer are greatly appreciated.
I've updated the post as a having a non-bridged interface makes no difference
I have only noticed that the VPN route has the "G" flag set and a gateway instead of link on the 18.1 version and it doesn't on 22.1:
Any pointers would really help, thanks!
We have ran into a small issue with a new 22.1 installation regarding theLAN interface.
We have the following configuration
- The LAN interface is on igb0_vlan2
- LAN has an assigned IP address (say 192.168.1.1)
- Filtering is happening only on LAN interface
- Firewall "Shared forwarding" is enabled
Disabling makes no difference
- OpenVPN client connection is used
- Static route for OpenVPN is added to Routes
The problem is that the OPNsense device itself is unable to send any packages via VPN, including ICMP, because the incorrect source IP is used (0.0.0.0) instead of the LAN or OpenVPN IP.
- Client connections from LAN to OpenVPN work
- Connections from remote OpenVPN network to LAN work
- Connections from remote OpenVPN network to LAN interface IP work
> Connections from local device to OpenVPN connection fail
Here, the remote VPN gateway sees a source IP of 0.0.0.0 for the package, hence the connection fails
Specififying the source IP manually works well
ping -S 192.168.1.1 <destination>
Now, this seems to be specific to the bridging configuration as we have multiple setups (albeit older OPNSense versions) running well in this setup, but they don't have a bridged LAN interface.
What settings are we missing to make this work? Maybe interface metric somewhere?
This is required for scheduled backups for us for example.
Any pointer are greatly appreciated.
I've updated the post as a having a non-bridged interface makes no difference
I have only noticed that the VPN route has the "G" flag set and a gateway instead of link on the 18.1 version and it doesn't on 22.1:
Quote
192.168.0.0/16 link#11 US ovpnc1
Quote
192.168.0.0/16 192.168.x.x UGS ovpnc1
Any pointers would really help, thanks!