Messages

so here is my network:



vps is running ubuntu server and I'm running ospf on all of the nodes.

What I want to do is to forward all traffic on specific ports to my mail local mail server which I have done by running this command on my vps:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 25,110,143,465,587,993,995,4190  -j DNAT --to-destination x.x.x.1

However I'm not sure how should I do the return path on opnsense so packets originating from x.x.x.1:(port range above) be sent out via vps's public ip.(z.z.z.z).

The best thing that I can think of is to set a second ip on my vps's wan interface (eth0) with a local ip (say 192.168.20.1/24) and set that IP as a gateway for specific traffic originating from x.x.x.1 but It doesn't work unfortunately .

do note I have put the gw on LAN reason being I want to to be independent of tunnel interfaces (so I can have one rule doing all the work).


any tips would be appreciated.

- You need a separate IP for monitoring for each and every WAN which (randomly) shares the same GW.
- Public DNS servers may be rate-limiting pings -- because they are not ping servers.

Other than that, good luck.

I have a different IP on each separate WAN already.
and I never had issues with using public dns severs for gateway monitoring.

Gateway monitoring uses different public dns IPs for their monitoring address.

However if I have all the pppoe wans up and lets say 2 share the same upstream gateway IP, if I were to put this gateway group as my LAN's gateway in firewall rules I would get intermittent internet on lan clients (websites load now and you a second later you cant load any websites (or ping anywhere) for few seconds and this cycle repeats), until I disable gateways sharing same upstream IP and things will start working again.

and no, no MLPPP here.

so, I have multiple lines from the same ISP for WAN. and they all use pppoe and get assigned a random IP and gateway and most of the time there are two or more lines sharing the same upstream gateway address .(interfaces themselves have different addresses but same IPV4 Gateway)
I have setup MultiWAN according to the wiki but I was having some random timeout issues.
after looking around it seemed that multiwan with same gateway ip is not possible HOWEVER I have also found (on pfsense wiki) that pppoe is an exception to that rule.

so Is this an opnsense only issue?

or Im just doing something wrong.

hey,
so I have two opnsense boxes
siteA:10.5.0.0/24 (pppoe WAN)
siteB:10.10.0.0/24 (dhcp NATed WAN)
in each site I have some other subnets aswell (say for example 172.16.0.0/24 + 192.168.160.0/24 in siteA and 172.18.0.0/24 + 172.168.5.0/24 on siteB).

what I'm looking for is to connect the sites together with a site to site vpn and the the route to different networks be distributed between them (so any site can access any subnet).

rn I have a ZT tunnel between sites and tried dynamic routing via osfp but for some reason tunnel flaps (tunnel comes up but after a minute or so gets disconnected, then reconnects and the cycle repeats; this happens with OSPF ENABLED on the zt interface).
I tried adding some route maps (to prevent routes to wan being distributed) but was not successful.

what is the correct approach to doing the above?

ospf conf:

Code Select Expand

Current configuration:
!
frr version 8.5.3
frr defaults traditional
hostname siteA.*
log syslog
!
interface lo0
....(all interfaces except zt set as passive)

exit
!
interface zt********
ip ospf area 0.0.0.1
ip ospf network point-to-point
exit
!
router ospf
ospf router-id 10.5.0.1
redistribute connected
exit
!
end

siteB conf is the same with a diffrent router id.


- zt interface network is 172.25.0.0/16
- zt interface has routes set like so (in zt website):
10.5.0.1 via 172.25.0.1(siteA zt IP)
10.10.0.1 via 172.25.0.2(siteB zt IP)

so I have successfully setup a zerotier site to site connection between two opnsense boxes .
by setting a static route the tunnel works fine however if I enable osfp, both routers see each other and exchange routing info But the link times out periodically.
like this:


and its pretty much unusable.

I kept digging but could find anything on ospf logs or firewall logs.

here is the ospf conf:

siteA:

Current configuration:
!
frr version 8.5.3
frr defaults traditional
hostname siteA.*
log syslog
!
interface lo0
....(all interfaces except zt set as passive)

exit
!
interface zt********
ip ospf area 172.25.0.0
ip ospf network point-to-point
exit
!
router ospf
ospf router-id 10.0.1.1
redistribute connected
exit
!
end

SiteB:
Current configuration:
!
frr version 8.5.3
frr defaults traditional
hostname siteB.*
log syslog notifications
!

interface lo0
....(all interfaces except zt set as passive)

exit
!
interface zt*******
ip ospf area 172.25.0.0
ip ospf network point-to-point
exit
!
router ospf
ospf router-id 10.1.1.1
redistribute connected
exit
!
end


note:
I have set routes to internal lan nets on zt website. (so 172.25.0.1 is the gateway to siteA lan and 172.25.0.2 is the gateway to siteB lan)
zt conf :



what could cause this?
it seems ospf distributes wrong routes, tunnel times out, gets reconnected, and the cycle continues.

hey,
So I was wondering if something like what I have in mind is even a thing, take the network here for example (assume all clients and opnsense are on the same subnet and opnsense is set as the default GW):



can I manage traffic flow rules between clients through opnsense?
Ie. can I block "Client A" from being able to talk to "Client B" ?

I do know switching is done at the switch itself (so in "A talking to B" scenario almost all (if not all) the data passes through the switch itself and doesn't go to the Opnsense(acting here as a firewall+router)),

So is there a way to set a routing rule, on my opnsense box that my switch will respect (like is there a protocol or something that I can set on my mikrotik switch to follow routing rules from up above?)

do I have to get into different routing protocols like OSPF or something?

I don't everything to passthrough the opnsense box just the switch to follow some rules.

hey everyone ,
so here what i have right now :

i have two WANs (each is a pppoe link , both are from the same isp so gateway ip on both is the same but the wan ip itself is different for each WAN)

i also have two LANs ,
What im looking for right now is:
WAN1 >> LAN1
WAN2 >> LAN2

so basically two Networks.

i tried achieving this by setting a gateway for each of the WANs and then via firewall rules of LAN1 and LAN2 setting the gateway on default allow rule to WAN1 and WAN2 respectiely ...

the problem is that lan2 does not work (i cant even ping the firewall itself unless i specify a fw rule for it) , traceroute shows only 1 hop and thats asking the fw for response .

here is my gateways page: (both WAN1 and WAN2 have the same GW ip)



My FW rules:

LAN1



LAN2



trace route from lan2:


note: even if i set WAN2 as a gateway for LAN1 it doesn't work .

the thing is , it worked for a little last night now it doesn`t work at all so obviously something is wrong .

it seems to me system wants to have a default gw at all times (only one) and it really doesn`t like what im doing .

note:
LAN1net is 192.168.0.0/24
LAN2net is 192.168.1.0/24

any help would be appreciated.

what steps you recommenced for troubleshooting this?

i watched some firewall logs and it boiled down to that no on the other subnet is responding (192.168.100.0)
which got me confused because if i ping 192.168.100.1 with opnsense setting source as 192.168.100.0 net i get responds back...
so 192.168.100.1 is responding on x.x.100.0 network ...

i think we have some misunderstanding here...
my sole goal is to have unrestricted access to a different subnet ....
a diffrrent subnet can be my modem <192.168.100.0> or my LAN2 <192.168.1.0>....
room what i understand this firwall rule:

   source          destination      policy
192.168.0.0  192.168.100.0    allow

should grant my lan <192.168.0.0> access to <192.168.100.0> but it doesnt work ...

what could be the culprit here? is there a ddifferent setting that i also have to do?

shameless bump...

ive been searching the webs i still dont know why i cant access different subnets...

Did you allow private networks on WAN?

Else you can check the other threads with the same problem: https://forum.opnsense.org/index.php?topic=12094.msg55343#msg55343

no why would ii do that?

wan is its own interface with pppoe and wan_modem is its own...

as is stated in OP yes i have read the forum and googled about it , my situation is a bit different because of having 2 Independence wan/lans therefore not using default gateway ....

hey everyone straight to the point ...
this is my network setup:
dsl1(192.168.100.0/24)>pppoe1>wan gateway>lan(192.168.0.0/24)
dsl2(192.168.200.0/24)>pppoe2>wan gateway2>lan2(192.168.1.0/24)

as the title says what i want to do to is to access dsl modems or simply be able to talk to <192.168.100.0> and <192.168.200.0> from my lan (192.168.0.0)...

as i have two different gateways using the outbound NAT rule in firewall doesn't work...(that i found out before in pfsense)...
the thing is on pfsense with some simple allow rules in firewall (allow access to <wan1modem net (192.168.100.0/24)> from lan ) it would work and i had access to the modems but the same setup doesn't work on opnsense  for some reason ....

i did some googling couldn't find anything useful some help would be appreciated...

some additional info:
inerfaces:
lan net    > (192.168.0.0\24)
lan2 net  >(192.168.1.0\24)
wan   > pppoe1
wan2 > pppoe2
wan1modem net > (192.168.100.0\24)
wan2modem net > (192.168.200.0\24)

modem 1 has static ip of 192.168.100.1
modem 2 has static ip of 192.168.200.1

i want access from lan net to wan1modem net and wan2modem net...