Messages

...
ATTENTION:
- With this setup, all filter rules (firewall rules) will match on the ipsecXX interfaces. NOT on the enc0 interface. All filtering on the enc0 was disabled, so policy based tunnels won't have firewall anymore.

The instructions say to add rules to "Firewall -> Rules -> IPsec", but I think they mean "Firewall -> Rules -> IPSECnn", which makes sense.

- Please either use only VTI or only ENC0 tunnels, mixing them will leave one of them unable to filter in the firewall.

Is this still a thing? If so, then it's simply not possible to migrate your tunnels one at a time?

Never mind...I had never noticed the tabs before on the top of the Services -> Dynamic DNS -> Settings page.

How do you, "[change] the backend method from ddclient to native"?

Howdy!

I've had htop installed on my OPNsense machine for a while, but after upgrading to 22.7.3_2, it seems to no longer be available. Was it removed on purpose? Is there a similar alternative?

Thanks,
Tad

Hello!

I have an IPSec VPN established with NAT before IPSec working as described here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

As a result, traffic that comes into my site appears to come from the far side 1:1 NAT that their addresses are translated to before the traffic enters the tunnel. Traffic that arrives at one of my private servers sees a "foreign" IP address making a request, and responses correctly end up back in the tunnel due to the straightforward routing rules that are implicitly created by this setup.

I also have other private networks on my side that I may need to route traffic to. These networks are in a different data center, but have different private networks, so routing handles the traffic between these data centers. However, this routing will drop any packet that has an IP on a network that the hosting company doesn't recognize. These leaves me unable to route traffic from this VPN to the other data center since the virtual network isn't one that the host accepts and I cannot change the virtual network IP range on my end because of considerations for the remote VPN host.

The 1:1 NAT uses an RFC 1918 subnet that I obtained from my hosting company specifically to use as the "Internal IP" network of the 1:1 NAT. I can assign IPs from this network to any server that is locally behind my OPNsense firewall and traffic flows as expected, though again with the tunnel remote IPs (the "Destination IP" network of the 1:1 NAT) being visible to the target server.

Anything I've tried to "double NAT" this traffic to another subnet, hoping to end up with the private subnet of the 1:1 NAT as the source IP hasn't worked. I've tried running a 1:1 NAT behind the first, as well as port forward NATs.

I'm not even sure what to call this to try to search for some answers, of even if there is some much better solution that I haven't considered.

Does anyone have any thoughts?

Thanks!

The secret sauce was the SPD entry. The non-obvious part was that 10.0.0.15/32 is what goes in that field.

The other part I was missing was the 1:1 NAT with 2.2.2.2 as the External IP, 10.0.0.15 as the Internal IP, and 1.1.1.2 as the Destination IP.

Do not have 2.2.2.2 as a virtual IP.

And will I need a virtual IP for the 2.2.2.2 that isn't actually visible on the internet?

Or, asked differently, how do I assign that to an interface?

Or, is that handled by my NAT entry? 1:1 or Port Forward?

NAT before IPsec needs this in FreeBSD https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

The documentation seems to say that I'm going to put my local network in the "Manual SPD Entries" box, so 10.0.0.15/32 in my example?

Did you set SPD entries?

I did not and I wouldn't know how. This is the first I've heard of this.

Hello,

I am attempting to get a site to site VPN running with a single routable IP address inside each end of the tunnel.

Something like:

   Unknown      Remote                                          Local             My
- Private NW -  network      WAN                       WAN      network ----- Private NW ----
    ?.?.?.? <-> 1.1.1.2 -- 1.1.1.1 <=== TUNNEL ====> 2.2.2.1 -- 2.2.2.2 <-> NAT <-> 10.0.0.15


The Remote end of the connection is a partner company that my company is providing a single service to via this tunnel. The goal here is to allow the service to work while each network is insulated from each other and neither side has to have any knowledge of the other's topology.

I've tried both, 1:1 NAT, and Port Forward NAT. It seems that I have to have the local network IP as a virtual IP on my WAN interface, and the closest I've come is that traffic gets to correct server in my network at 10.0.0.15, but the return traffic seems to want to head straight to the internet rather than being returned up the tunnel.

I do also have a /26 network 1:1 NAT servicing requests directly from the internet, but I obtained a single, completely different IP address to use for 2.2.2.2 in the above diagram that has no NAT associated with it besides what I've tried to set up for the tunnel.

I know this description is fairly vague, but does anyone have any suggestions?

Thanks!