Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Marvin

Pages1
#1
20.7 Legacy Series / SNAT & DNAT
August 25, 2020, 02:22:35 AM
I am having much trouble trying to make this work.  On an older system it was quite easy.  On OPNsense i am very confused.

I have 2 IPSec tunnels.  These two tunnels route traffic directly between each other.  There is no local LAN configured, only the WAN which supports the IPSec tunnels.

I have some SNAT's and some DNAT's and some 1-to-1 NATs that make everything work (on the older system).  They all attach to IPSec.  But SNAT and DNAT do not appear to be part of the OPNsense vernacular.

OPNsense uses Port Forward, Outbound and 1-to-1 NATs.  But which are SNAT and which are DNAT?
#2
General Discussion / Re: Hub and Spoke VPN
August 20, 2020, 02:10:16 AM
We are trying to replace an old system that has been doing this for years (but is no longer supported or update-able).

This system uses only one wan interface (vtnet0).  It runs 2 IPSec tunnels and routes traffic between them with NAT.  One tunnel connects to a customer that insists on their remote side to be 10.0.0.0/8 and the devices we connect to are very non-contiguous.  Obviously that 10.0.0.0/8 conflicts not only with our internal network structure but also conflicts with other customer VPN NATing we must do.

So our solution has been (for many years) to run a separate VPN device that only serves this customer.  One IPSec tunnel to that customer with their 10.0.0.0/8 and one IPSec tunnel to our main system configured as we need it to be.  Then the traffic is NATed, with both individual IP to individual IP subnet to subnet and passed between the tunnels.

I have attempted to replicate this setup with OPNsense.  I can get both IPSec tunnels to run.  But i cannot get traffic NAT properly and route to the other tunnel.  All ports are unchanged, only the IPs are mapped.  Here is a very simplified drawing:
IPSec to us                                NATing                                                      IPSec to them
(local)                                                                                                        (remote)
172.100.1.0/24      <===>    172.100.1.0/24 <-> 192.168.100.0/24 <===> 192.168.100.0/24
(remote)                                                                                                    (local)
172.200.10.32/28    <===>      172.200.10.34 <-> 10.1.30.17   <===>     10.0.0.0/8
                                                172.200.10.35 <-> 10.1.42.6
                                                172.200.10.36 <-> 10.8.98.16

Any help with this would be appreciated.  Let me know if additional data would be useful.
#3
General Discussion / Hub and Spoke VPN
August 19, 2020, 09:56:56 PM
Can OPNsense support Hub-and-Spoke VPN configuration?
#4
General Discussion / Tunnel to Tunnel routing with between tunnel NATing
August 18, 2020, 04:00:26 AM
We have a unique vpn scenario that i would like to see if i can get OPNsense to perform in order to replace an old system that has been doing this for years (but is no longer supported or update-able).

This system uses only one wan interface (vtnet0).  It runs 2 IPSec tunnels, routes traffic between them with NAT.  One tunnel connects to a customer that insists on their remote side to be 10.0.0.0/8 and the devices we connect to are very non-contiguous.  Obviously that 10.0.0.0/8 conflicts not only with our internal network structure but also conflicts with other customer VPN NATing we must do.

So our solution has been (for many years) to run a separate VPN device that only serves this customer.  One IPSec tunnel to that customer with their 10.0.0.0/8 and one IPSec tunnel to our main system configured as we need it to be.  Then the traffic is NATed, in some cases individual IP to individual IP.  And in others cases, entire subnet to entire subnet (of similar size -- what i believe OPNsense calls bitmask).  Then passed between the tunnels.

I have attempted to replicate this setup with OPNsense.  I can get both IPSec tunnels to run.  But i cannot get traffic NAT properly and route to the other tunnel.  All ports are unchanged, only the IPs are mapped.  Here is a very simplified drawing:
IPSec to us                                NATing                                                      IPSec to them
(local)                                                                                                        (remote)
172.100.1.0/24      <===>    172.100.1.0/24 <-> 192.168.100.0/24 <===> 192.168.100.0/24
(remote)                                                                                                    (local)
172.200.10.32/28    <===>      172.200.10.34 <-> 10.1.30.17   <===>     10.0.0.0/8
                                                172.200.10.35 <-> 10.1.42.6
                                                172.200.10.36 <-> 10.8.98.16

Also, with our old system, i could run tcpdump on each individual IPSec tunnel so it was easy to see what was going through each.  It appears that on OPNsense the IPSec tunnels are lumped together in a single dev interface, is that right?

Any help with this would be appreciated.  Let me know if additional data would be useful.
Pages1