Show Posts
1
General Discussion / pfSense to OPNSense difference: Outbound NAT with Multi-VPN issues
« on: February 15, 2020, 05:50:45 pm »
Hi, I hope you’re all fine if I get straight to the point. 
EDIT: After some more digging in the pf source code
, I think I might have run into an edge case with OPNSense's way to establish NAT rules by using the (ifname:0) syntax instead of an IP address (as pfSense does). If I understand the code correctly, this particular way of creating NAT rules runs into a problem when multiple point-to-point interfaces (i.e. VPN and similar ones) sit in the same subnet. In this case, only one of these interfaces will have proper routes established. Because of a workaround for ppp connections implemented in pf_if.c pf will fail to do NAT properly for the other point-to-point interfaces as they lack the routes. As a starting point, see https://github.com/HardenedBSD/hardenedBSD-stable/blob/4b7aa7e714f8e605d92664b99043ea558da56bfb/sys/netpfil/pf/pf_if.c#L532 and the end of this post for more details.
If you have a setup with Mutliple VPN connections / Multi-WAN and trouble getting policy based routing and outbound NAT to work properly, have a look at the GitHub issue below, maybe you're running into that edge case.
I have opened a properly documented bug report for OPNsense on GitHub which can be found here: https://github.com/opnsense/core/issues/3936 and therefore remove the original description as it would be redundant.
EDIT: After some more digging in the pf source code
, I think I might have run into an edge case with OPNSense's way to establish NAT rules by using the (ifname:0) syntax instead of an IP address (as pfSense does). If I understand the code correctly, this particular way of creating NAT rules runs into a problem when multiple point-to-point interfaces (i.e. VPN and similar ones) sit in the same subnet. In this case, only one of these interfaces will have proper routes established. Because of a workaround for ppp connections implemented in pf_if.c pf will fail to do NAT properly for the other point-to-point interfaces as they lack the routes. As a starting point, see https://github.com/HardenedBSD/hardenedBSD-stable/blob/4b7aa7e714f8e605d92664b99043ea558da56bfb/sys/netpfil/pf/pf_if.c#L532 and the end of this post for more details. If you have a setup with Mutliple VPN connections / Multi-WAN and trouble getting policy based routing and outbound NAT to work properly, have a look at the GitHub issue below, maybe you're running into that edge case.
I have opened a properly documented bug report for OPNsense on GitHub which can be found here: https://github.com/opnsense/core/issues/3936 and therefore remove the original description as it would be redundant.