"
Hrmm.. It appears that the tunnel was receiving traffic from work to my 10.0.10.0/25 network in my BiNAT and sending it BACK down the tunnel via the 10.0.0.0/8 route.. I would have expected the more specific to win out or how would this BiNAT for space used on both sides even work? I limited my SDR to a smaller 10.45.0.0/16 used in my datacenter and things started to work to that range.. So I think something did not get automatically installed for the BiNAT so it could catch this traffic?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: IPSec in Routed mode with BiNAT, traffic but no replies?
September 01, 2021, 05:25:18 AM #2
General Discussion / IPSec in Routed mode with BiNAT, traffic but no replies?
September 01, 2021, 12:01:45 AM
I have built a Router VTI IPSec tunnel to a Cisco Router at work. I am using BiNAT to make my 10.0.0.0/25 network look like 10.0.10.0/25 over the tunnel. I am using 10.0.10.252/30 .254 is my OPNSense end, .253 is my Cisco VTI Tunnel10. The tunnel on the cisco can ping the tunnel IP on the OPNSense. The loopback on the Cisco 10.45.253.1 can ping the 10.0.10.254 of the OPNSense. BUT my Linux box at 10.0.0.24, natting to 10.0.10.24 tries to ping the loopback of the router at 10.45.253.1 (and a ping from the routers loopback to the 10.0.10.24 at the same time, neither get a reply. YET, both unidirectional traffic flows show in the Packet Capture on my tunnel interface on the OPNSense..I am lost as to how this happens? (see picture attached)
my tunnel interface as two ANY - ANY IPv4 rules for in and out. And I see Encaps and Decaps oh plenty on my Cisco and my OPNSense IPSec stats...
my tunnel interface as two ANY - ANY IPv4 rules for in and out. And I see Encaps and Decaps oh plenty on my Cisco and my OPNSense IPSec stats...
#3
21.1 Legacy Series / Re: IPSec to Double NAT on Firewall
August 30, 2021, 02:12:51 AM
OK, so it looks like I am supposed to define a Single Gateway with the IP address of my far end peer. If I do that and attach it to the LAN interface, my pings now stop going out the internet, and just die in the firewall. I kinda think that might be progress.
I did not see a route in table for my IPSec tunnel, and I thought it said the system would make one.. so I did add a SDR for he 10.0.0.0/8 net going to my new gateway.
No more leaking of the 10 net space to my ISP, but no DECAPs on my Cisco router. Not sure how I see what is happening to my traffic on the OPNSense side. Is that BiNat being used?
I did not see a route in table for my IPSec tunnel, and I thought it said the system would make one.. so I did add a SDR for he 10.0.0.0/8 net going to my new gateway.
No more leaking of the 10 net space to my ISP, but no DECAPs on my Cisco router. Not sure how I see what is happening to my traffic on the OPNSense side. Is that BiNat being used?
#4
General Discussion / IPSec with BiNat, routing not engaging?
August 30, 2021, 01:53:24 AM
Using the docs I was able to get an IPSec/IKEv2 tunnel up in 15 mins with my company Cisco Router, and was very jazzed that I could replace my Palo Alto firewall VPN. My Company uses the entire 10. net mostly, including the lil 10.0.0.0/24 I use at home. No problem, that's what the IPSec BiNat was for, yes? So...
my IPSec tunnel uses 10.0.10.0/25 as the inside space that I will be NAT'ing myself to. And the 10.0.0.0/8 for the remote network. Cisco IPSec sees that and reverse route injects a static 10.0.10.0/25 in for my tunnel. Cool.
On the Opnsense side, I have my IPSec tunnel originating from my WAN interface (static IP from ISP) and my NAT set up with a single test 1-to1 from 10.0.0.7 (my pc) to 10.0.10.7 (the IP I will appear as over the tunnel, same as I did with my Palo)
My IPSec FW rules are an ANY ANY right now, both inbound and out.
So I test a ping from my station to a station at work, and it appears to be going straight out the internet, and not the tunnel.. My ISP gateway is sending the ICMP rejection.
So I am stuck on what I might need to do for routing/NAT. and https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html wasn't giving me quite enough.
UPDATE: Traffic FROM my work to the NAT address 10.0.10.7 is correctly getting through the tunnel, and being NAT's to my 10.0.0.7 workstation, I see INBOUND traffic in all the IPSec logs and Wireshark on my workstation shows the ping hitting me. (carbon black denies it, but hey, it got here!) If I ping to that same workstation, no outbound traffic seen in the tunnel.
So I followed the IPSec tunnel docs, and added the BiNat doces. I think my issue is in the IPSec Tunnel docs, in that my VPN Status shows my tunnel as "INSTALLED" and "ROUTED" but the docs say it should just show "INSTALLED" and in the route table there is no entry to suggest my traffic would get captured by my IPSec tunnel.
My NAT is on the IPSec interface.. perhaps that is why it's not being NAT'ed before the tunnel network list sees it?
my IPSec tunnel uses 10.0.10.0/25 as the inside space that I will be NAT'ing myself to. And the 10.0.0.0/8 for the remote network. Cisco IPSec sees that and reverse route injects a static 10.0.10.0/25 in for my tunnel. Cool.
On the Opnsense side, I have my IPSec tunnel originating from my WAN interface (static IP from ISP) and my NAT set up with a single test 1-to1 from 10.0.0.7 (my pc) to 10.0.10.7 (the IP I will appear as over the tunnel, same as I did with my Palo)
My IPSec FW rules are an ANY ANY right now, both inbound and out.
So I test a ping from my station to a station at work, and it appears to be going straight out the internet, and not the tunnel.. My ISP gateway is sending the ICMP rejection.
So I am stuck on what I might need to do for routing/NAT. and https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html wasn't giving me quite enough.
UPDATE: Traffic FROM my work to the NAT address 10.0.10.7 is correctly getting through the tunnel, and being NAT's to my 10.0.0.7 workstation, I see INBOUND traffic in all the IPSec logs and Wireshark on my workstation shows the ping hitting me. (carbon black denies it, but hey, it got here!) If I ping to that same workstation, no outbound traffic seen in the tunnel.
So I followed the IPSec tunnel docs, and added the BiNat doces. I think my issue is in the IPSec Tunnel docs, in that my VPN Status shows my tunnel as "INSTALLED" and "ROUTED" but the docs say it should just show "INSTALLED" and in the route table there is no entry to suggest my traffic would get captured by my IPSec tunnel.
My NAT is on the IPSec interface.. perhaps that is why it's not being NAT'ed before the tunnel network list sees it?
#5
21.1 Legacy Series / Re: 1-to-1 NAT confusion OPNSense 21.1.4
April 05, 2021, 04:12:43 PM
UPDATE: OK, so I did see that making a series of virtual IP's for my <public>.96/29 external range is needed for inbound traffic. So I made the remaining 4 free IP's as Virtuals so I will not forget.
Now the NAT's work inbound and OUT.
But the rules I built are not what I was expecting. I created a WAN rule to allow the DNS ports to my external IP's and nothing worked. I looked in the live log, and I see DENIES from my source test but the destination is the <private>.24 IP and not the <public>.99 static IP on the WAN interface? WTH? OK, so I clone my rule, and change the destination to the <private>.24 IP and now DNS is working..
The Port forwarding rules work against the outside IP of the firewall, and I expected it to be that way.
So 1-to-1 NAT happens before the rules are checked? Meh.. So far it appears that way..
Now the NAT's work inbound and OUT.
But the rules I built are not what I was expecting. I created a WAN rule to allow the DNS ports to my external IP's and nothing worked. I looked in the live log, and I see DENIES from my source test but the destination is the <private>.24 IP and not the <public>.99 static IP on the WAN interface? WTH? OK, so I clone my rule, and change the destination to the <private>.24 IP and now DNS is working..
The Port forwarding rules work against the outside IP of the firewall, and I expected it to be that way.
So 1-to-1 NAT happens before the rules are checked? Meh.. So far it appears that way..
#6
21.1 Legacy Series / 1-to-1 NAT confusion OPNSense 21.1.4
April 05, 2021, 03:46:29 PM
So I am new to OPNSense from a Palo Alto firewall system. My home network has a /29 public block, where I use the first useable as my firewall IP, and all my port forwarding.
But I have some servers that need two 1-to-1 NAT's and I am having trouble understanding the docs on how this works.
I made two BINAT rules the way I think they needed to be, <public>.99 <-> <private>.24/32 and when I test my .24 host with a what's my IP test, I get my public NAT, but when I try to contact my host via an external DIG (it's a DNS server) I get nothing. My Rules allow TCP/UDP 53 & 953 to my two outside IP's.
Do I need to use a Virtual IP construct to get OPNSense to respond to the two outside IP's of my NAT (this was from a google search of someone who got a lab to work. did not make sense)
But I have some servers that need two 1-to-1 NAT's and I am having trouble understanding the docs on how this works.
I made two BINAT rules the way I think they needed to be, <public>.99 <-> <private>.24/32 and when I test my .24 host with a what's my IP test, I get my public NAT, but when I try to contact my host via an external DIG (it's a DNS server) I get nothing. My Rules allow TCP/UDP 53 & 953 to my two outside IP's.
Do I need to use a Virtual IP construct to get OPNSense to respond to the two outside IP's of my NAT (this was from a google search of someone who got a lab to work. did not make sense)
Pages1
