Show Posts
1
General Discussion / How do I keep traffic coming in one gatway from going out the other?
« on: October 07, 2019, 09:58:34 pm »
I've got a firewall multiple gateways my ISP - default, and a second gateway - an OpenVPN tun interface (client connecting to a remote server).
I've configured the remote OpenVPN server to forward traffic from it's public IP, through the VPN to my OpnSense box, when then forwards it to an internal server. Logging and packet captures show that traffic is reaching the internal server.
I've also configured OpnSense policy based routing (firewall rule on the interface for the internal server)and outbound NAT rules so that any traffic originating from the internal server IP address is sent out the OpenVPN gateway rather than the default gateway. Executing
So far, this all works as expected.
My problem is when the internal server responds to traffic coming in from the OpenVPN gateway. The traffic comes through the gateway and arrives as expected at the internal server, but packet captures show that the response from the internal server is sent back out through the default gateway, rather than going out through the OpenVPN gateway.
Desired
public.yyy.zzz -> OpenVPN server -> OpnSense Vpn Client -> Internal Server -> OpnSense -> OpnSense Vpn Client -> OpenVPN server -> public.yyy.zzz
Actual
public.yyy.zzz -> OpenVPN server -> OpnSense Vpn Client -> Internal Server -> OpnSense -> Default Gateway -> public.yyy.zzz
My understanding is that traffic that arrives on one gateway should automatically be replied to via the same gateway. What do I need to do to get responses to traffic on the OpenVPN gateway to go back out the same gateway? Or - why does the default route get used for responses instead of the policy route?
I've configured the remote OpenVPN server to forward traffic from it's public IP, through the VPN to my OpnSense box, when then forwards it to an internal server. Logging and packet captures show that traffic is reaching the internal server.
I've also configured OpnSense policy based routing (firewall rule on the interface for the internal server)and outbound NAT rules so that any traffic originating from the internal server IP address is sent out the OpenVPN gateway rather than the default gateway. Executing
Code: [Select]
curl https://api.ipify.org/ on the internal server returns the OpenVPN Server's public IP. So far, this all works as expected.
My problem is when the internal server responds to traffic coming in from the OpenVPN gateway. The traffic comes through the gateway and arrives as expected at the internal server, but packet captures show that the response from the internal server is sent back out through the default gateway, rather than going out through the OpenVPN gateway.
Desired
public.yyy.zzz -> OpenVPN server -> OpnSense Vpn Client -> Internal Server -> OpnSense -> OpnSense Vpn Client -> OpenVPN server -> public.yyy.zzz
Actual
public.yyy.zzz -> OpenVPN server -> OpnSense Vpn Client -> Internal Server -> OpnSense -> Default Gateway -> public.yyy.zzz
My understanding is that traffic that arrives on one gateway should automatically be replied to via the same gateway. What do I need to do to get responses to traffic on the OpenVPN gateway to go back out the same gateway? Or - why does the default route get used for responses instead of the policy route?