Messages

1

20.1 Legacy Series / Re: Public IP range via a tunnel

« on: March 12, 2020, 09:21:09 am »

Mine is still working nicely, even after a reboot ( I applied the security upgrade this afternoon ).

From what I can tell, all I had to do was set the default gateway for the interface on the interface itself, and then select that interface as the one to use in the firewall rule.

2

20.1 Legacy Series / Re: Public IP range via a tunnel

« on: March 07, 2020, 05:23:23 am »

hmm, I added an "allow everything to everywhere" rule, and then was able to start pinging the devices from the outside. So I deleted that and my previous rules and went back through making the rule more selective each time.

Currently the rule seems to be working fine (tested from a different location in case the firewall had remembered the previous session). Not sure what I did to make it work (or break it the first time round). Seems fine at the moment...

3

20.1 Legacy Series / Re: Public IP range via a tunnel

« on: March 06, 2020, 02:34:43 pm »

Hi,

I read that issue but I felt mine might be a little different as the problem is that the traffic coming in over the tunnel is from public IP addresses. Any traffic coming in from internal IP addresses works fine. I've also put a box on LAN2 and it gets a public IP address and the selection of the tunnel gateway as the outbound gateway works perfectly.

So far, my issue only exists for connections originating over the tunnel that has a source of a public IP address. I'm trying to figure out how to make sure that return traffic goes via the interface it came in on, or alternatively let me specify any traffic from my public range uses the tunnel gateway (which will always be true) regardless of direction.

4

20.1 Legacy Series / Public IP range via a tunnel

« on: March 06, 2020, 04:45:16 am »

Hi,

I've only recently started using opnsense, but so far I'm super happy with it, it just works!

The issue I am having though is kinda interesting. I have a single WAN connection with the usual DHCP setup but I also have a small range of public IP addresses that get delivered to me over a tunnel. I have that range set up on its own internal interface (let's call it LAN2), and that seems to work well. From my LAN and from the other end of the tunnel, everything talks happily and mostly just works.

The problem though is when I get a request from the Internet at large. This comes over the tunnel, and the device on LAN2 receives it and responds but the response never makes it back to the sender. I believe it's because it's using the main Internet connection to route the traffic rather than sending it back down the tunnel. I tried creating a gateway for the IP at the other end of the tunnel, but I can't get it to work for my use case. If I allow incoming traffic on the tunnel interface and set the gateway to use the new tunnel gateway, the packets never make it to LAN2. I've tried splitting out the rules so that there's no "reply to" rule in the hope that I could approve the incoming traffic over the tunnel, but then explicitly allow incoming traffic from LAN2 and make it use the tunnel gateway, but alas that didn't work either.

So my question really is, what am I doing wrong? I can make this work easily in Linux by using multiple routing tables and doing policy based routing on the source IP but I don't think that's an approach that works with FreeBSD based stuff.

Can anyone give me any pointers?

Thanks in advance!