1
General Discussion / Re: Routing specific networks over multiple independent VPNs
« on: August 16, 2021, 11:55:59 am »
Although this may have been fixed very recently... https://forum.opnsense.org/index.php?topic=22348.0
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
General Discussion / Re: Routing specific networks over multiple independent VPNs
« on: August 16, 2021, 11:42:59 am »
Thanks.
Read through a few posts on the topic. It looks like people have quite not solved it as there appears to be a stumbling block if the internal IP of the VPN connection is dynamic (as it is with my VPN provider) meaning the IP of the Gateway can change dynamically (and has to be automagically updated in the PBR firewall rules when it happens). https://forum.opnsense.org/index.php?topic=9277.0
This is also a challenge in OpenWRT and you have to add some scripting to hotplug.d to ensure the route table is updated with the current gateway IP whenever the VPN interface goes up. Is it possible to edit hotplug scripts in OPNSense to fix the PBR rules in a similar fashion?
Read through a few posts on the topic. It looks like people have quite not solved it as there appears to be a stumbling block if the internal IP of the VPN connection is dynamic (as it is with my VPN provider) meaning the IP of the Gateway can change dynamically (and has to be automagically updated in the PBR firewall rules when it happens). https://forum.opnsense.org/index.php?topic=9277.0
This is also a challenge in OpenWRT and you have to add some scripting to hotplug.d to ensure the route table is updated with the current gateway IP whenever the VPN interface goes up. Is it possible to edit hotplug scripts in OPNSense to fix the PBR rules in a similar fashion?
3
General Discussion / Routing specific networks over multiple independent VPNs
« on: August 15, 2021, 01:04:10 pm »
Hi all,
I'm once again considering migrating my x86 hardware router over to OPNsense from OpenWRT. Can someone help me understand if all the following feature is possible to implement in OPNsense?
What I have is several networks and have each network routed over several different connections to the internet via multiple VPN Tunnels. I.e. Network A default route is over WAN (standard), Network B default route is VPN 1, Network C default route is VPN 2. In effect this is the same as having multiple 'WAN' connections, but rather than using for fail-over, using them for specific internal networks.
A couple of other requirements:
- Some networks will still use the 'raw' non-VPN WAN
- Traffic must be two-way routable (i.e. inbound connections to the remote endpoint IP of a VPN tunnel must route to the matching network internally).
- Implementation must be strict - ALL non-local traffic goes over the requisite VPN connection. If the specific VPN for that network is down, it simply fails.
I've seen this post here: https://forum.opnsense.org/index.php?topic=4979.0 however this is different as it deals with just routing specific IPs over a VPN. I want to have whole networks routed over a specific VPN.
To acheive this in OpenWRT you have to create a secondary routing table and allocate the appropriate network to that routing table, i.e.:
1. Create secondary routing table VPN_A
2. Set the default route for VPN_A to the gateway IP and interface id of the VPN 'A' tunnel interface
3. Assign the local network to be routed to VPN 'A' to new the VPN_A routing table
Thanks.
I'm once again considering migrating my x86 hardware router over to OPNsense from OpenWRT. Can someone help me understand if all the following feature is possible to implement in OPNsense?
What I have is several networks and have each network routed over several different connections to the internet via multiple VPN Tunnels. I.e. Network A default route is over WAN (standard), Network B default route is VPN 1, Network C default route is VPN 2. In effect this is the same as having multiple 'WAN' connections, but rather than using for fail-over, using them for specific internal networks.
A couple of other requirements:
- Some networks will still use the 'raw' non-VPN WAN
- Traffic must be two-way routable (i.e. inbound connections to the remote endpoint IP of a VPN tunnel must route to the matching network internally).
- Implementation must be strict - ALL non-local traffic goes over the requisite VPN connection. If the specific VPN for that network is down, it simply fails.
I've seen this post here: https://forum.opnsense.org/index.php?topic=4979.0 however this is different as it deals with just routing specific IPs over a VPN. I want to have whole networks routed over a specific VPN.
To acheive this in OpenWRT you have to create a secondary routing table and allocate the appropriate network to that routing table, i.e.:
1. Create secondary routing table VPN_A
2. Set the default route for VPN_A to the gateway IP and interface id of the VPN 'A' tunnel interface
3. Assign the local network to be routed to VPN 'A' to new the VPN_A routing table
Thanks.
4
General Discussion / Replicating some OpenWRT Configs
« on: August 01, 2019, 10:03:41 pm »
Hi,
I'm migrating to OPNsense from OpenWRT. I'm trying to setup my router like for like before I switch, I'm mostly done but there are a few configs I can't work out how to replicate in OPNsense. I'd appreaciate any help.
Firstly are a few firewall rules realted to IPv6 ICMP:
How would those look in PF?
Secondly, my OpenVPN server has been fine-tuned over the years. Specifically I cant work out how to use tls-crypt (instead of tls-auth) or specify my cipher-list through the gui. Do I just add these in as 'custom' config lines in the free-text box?
In general do the 'advanced settings' free text boxes on the config pages for services just expect config lines in the same format they would appear in the individiual apps native config files? Are there any caveats/limitations?
Thanks a million!
I'm migrating to OPNsense from OpenWRT. I'm trying to setup my router like for like before I switch, I'm mostly done but there are a few configs I can't work out how to replicate in OPNsense. I'd appreaciate any help.
Firstly are a few firewall rules realted to IPv6 ICMP:
Code: [Select]
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'How would those look in PF?
Secondly, my OpenVPN server has been fine-tuned over the years. Specifically I cant work out how to use tls-crypt (instead of tls-auth) or specify my cipher-list through the gui. Do I just add these in as 'custom' config lines in the free-text box?
In general do the 'advanced settings' free text boxes on the config pages for services just expect config lines in the same format they would appear in the individiual apps native config files? Are there any caveats/limitations?
Thanks a million!
Pages: [1]