Messages

Hi,

I hope someone can help me a little bit.

I have the following setup:

System -> home-opnsense -> "concentrator"-opnsense -> public-opnsense
(see attached image: small_network.png)

I'm able to access all the networks that are behind each opnsense. I now have the need to route public internet-thraffic from my System through home and concentrator to the public instance and use it's wan.
All Opnsense are connected via VPN in separate /30 networks.

On all systems i have only an outbound-nat for the WAN-interface. Routes etc. are distributed via BGP.

I created a gateway with the public-opnsense-VPN IP (10.0.1.6). it is online and shows the right rtt.
If i now create a firewall rule on LAN and force my system to use the far-gateway nothing happens. I can see that the firewall route all requests to the gateway, but there seems to be no answer.
the rule is also attached: firewall-rule.jpg

Any Idea how I can get this to work?
Thank you.

Hi,

i've got a small problem here with my VLAN which is layered on top of OpenVPN Tap connection.
Whenever i reboot OPNsense i loose the connection to this VLAN.
OpenVPN will come up after a few seconds and this network is working fine.

To get my VLAN working again I have to reassign my Interface to something new, delete my VLAN and recreate it again.

it seems like OPNsese tries to setup the VLAN when the VPN isn't connected yet and fails.
it will then just stop doing anything with it.

is there a way to get around a recreation of the VLAN on every reboot?
I don't have a problem running a script that will fix this after every reboot - but I don't know what commands i have to use ^^'
Also, disableing the assigned interface does nothing - the only thing that worked for me was a recreation

I hope someone can point me to the right direction.

(also i have the same issue with a logging-target that is only available if the wireguard connection is up; on every reboot i have to disable and re-enable it)

if openvpn -> lan is working
i suppose you are missing a firewall rule lan -> openvpn
(or lan -> any)

could you be so kind to post your config here?
and also the logfiles? - preferable from the client and the server?

@Demusman
the field local network is just a place-holder. it will push whatever you add there :)
But yes, it's easier to put it there (expect you have larger numbers of network - then it's really ugly to read)

@runjake:
what's your default-gateway in the new networks?
if it's the OPNsense - you don't need to put anything special to the clients; this was only needed for stan since he added another hop in between.

I suspect missing firewall rules. Did you allow access from the VPN to your new LANs?

[edit]

why did you crate a vlan?
when you create an openvpn server opnsense will automatically add routes (and you are able to assign an real interface to this connection)

if you want to bridge this OpenVPN Interface to an attached (V)LAN you need a bridge interface Interfaces -> Other Types -> Bridges

My advice would be: choose different IP-Ranges and use a real routing



as for your setup...
please post your config.

the .252 or a /30 network looks like you are using client-isolation (max. 2 usable IPs - OPNsense + Client);
if you tick "Inter-client communication" it should give you the whole subnet.


edit
i forgot to talk about the gateway:
normally - if you have a good configuration - your gateway will be pushed to the openvpn client.
i suppose this is a problem because you already have the same network defined in your vlan - so openvpn is not able to assign the .1 address to itself again.
please check your openvpn logs (VPN -> Openvpn -> Log File)
if there are no infos increase the log-level to 3 though the ip-conflict should also be visible with loglevel 1

oh! daran hab ich gar nicht mehr gedacht - da ich das bei mir ausgeschaltet habe ^^''

ja, daran kann es auch liegen.

ah, das ist ärgerlich - dann vergiss meinen edit...

und ahhh!
hast du bei den alias-en den Gateway auch eingetragen - also beim Anlegen? Es gab mal einen "Bug", wenn ich mich richtig erinnere, bei dem das interface gespackt hat, wenn man am WAN-Interface-Alias ein 2. mal den Gateway eingetragen hat.

Meine alias-IPs sind alle ohne speziellen Gateway angelegt - das scheint bei mir zu gehen;
Da die bei dir auch im selben Subnetz sind müsste die passende route eh schon da sein

[edit]

ah!
merke bei so was, immer die letzten Zahlen gleich lassen ^^

okay.
also noch mal, damit ich das richtig verstanden habe

Draytek Router (als Modem) an Mikrotik Router (als Router mit PPPoE)?
Das heißt dann aber auch, dass dein Mikrotik die IPs zugewiesen bekommt / oder dein Draytek, wenn er als Router arbeitet.
Das wäre dann double-NAT was du für deine LAN-Systeme hinten dran machen müsstest - und das ist böse :/

Code Select Expand


    |
    |
    |
.----------.
| Draytek |
`----------'
    |
    | PPPoE Internet (/29 Netz)
    |
.----------.
| Mikrotik  |
`----------'
    |
    |  Irgend ein LAN, mit IPs, die hier fehlen?
    |
.----------.
| OPNsense |
`----------'



Damit der Zugang geht, wie du es haben möchtest, müsstest du die OPNSense an den Draytek Stecken und den Draytek als Modem konfigurieren - so dass die OPNSense die Verbindung aufbaut.

Ansonsten enden alle IP-Adressen auf deinem Mikrotik und müssen dort per 1:1 NAT weiter gegeben werden (oder etwas ähnliches).


edit
ah! ihr gebt im Mikrotik routerboard die IPs an die Schnittstelle weiter!
Wie ist der Mikrotik genau konfiguriert? Nimmt der die anderen IPs auf der selben Schnittstelle? Das ist ja das, was du da gerade auch versuchst? Wenn ja, wie unterscheidet der Mikrotik das welche IP wohin muss? Jeweils eine eigene IP, oder per VLAN? oder ... tja, gute Frage, was man bei dem mikrotik alles noch einstellen kann ^^'

die Frage ist: braucht ihr das routerBOARD dringend? Mir fällt spontan nichts ein, was über die OPNSense nicht auch machbar ist - zumindest auf IP-Basis.  Wenn nicht, je weniger Geräte, desto besser :)

[edit]

Irgendwas passt mit deinen Netzten und IP-Adressen nicht.

das /29 Netz mit der 63 wäre von
.56 bis .63, wobei .63 die Broadcast-IP ist. (im übrigen auch bei /28 und /27 und /26)

das nächste Netz beginnt dann entsprechend bei .64 - d.h. aber auch, dass du auf die .64 keinen host legen kannst;
Die eigentlichen hosts liegen dann bei 65-70 mit broadcast bei der 71.

Entweder passt dein /29 nicht oder dein Anbieter hat dir jeweils /32 Adressen gegeben (oder die gehören in ein /25 oder größeres Netz) Was ist denn der Gateway, den dir dein Anbieter mitgeteilt hat?

Benutzt ihr PPPoE oder habt ihr da noch einen Router davor? Ich nehme mal nicht an, dass da direktes Ethernet aus der Wand fällt, oder? Bei PPPoE sollte dir für das WAN zumindest die Haupt-IP  (1. IP-Adresse) zugewiesen werden. Ob die per PPPoE übertragenen extra-IP-Adressen automatisch konfiguriert werden, weiß ich nicht - aber im Zweifel hast du da ja dann die IP-Aliase :)


edit
laut bgp.he befindest du dich im Netzwerk 213.172.96.0/19
und laut routing-table sind die IPs zwischen 56 und 63 nicht speziell zuweisen. Es gibt dann aber das /29 ab 64.

Of course I can add an additional routing-point from 1 to 3 (or in my case from 1 to 3 additional opnsenses), but why should i do this? this will make it even harder to figure out Problems in the Network.

to change the default gateway won't do.
especially since on every opnsense there is a local LAN attached. If I don't want to add lot's of manual routing this isn't feasable. Moreover I have to do this everytime I add another subnet (which actually happens quite often).

i'm propagating my routes via BGP; so of course the way from upper left to the lower right system can be different everytime something happens within the network (see the picture in the first post). Therefore routes do changes dynamically.

Why I want to do this: access geo-restricted sites without setting up a local VPN-connection on each needed opnsense system.

okay. I try to simplifly the setup for my question.

I have something like this:

Code Select Expand


WAN / Internet
         .
         |
         |
    .--------------.   private LAN        .--------------.
    | OPNsense1 ----------------------  LAN Clients |
    '----.---------'   192.168.1.1/24   '--------------'
         |
         |
  VPN | 10.0.0.1/30
         |
    .--------------.
    | OPNsense2 |
    '----.----------'
         |
         |
  VPN2 | 10.0.1.1/30
         |
    .--------------.
    | OPNsense3 |
    '----.----------'
         |
         |
         .
WAN3 / Internet3


my goal would be to use the WAN3 for specific IP-Adresses from my LAN-Clients (on OPNSense1); So to NOT route them to the WAN on OPNsense1

I tried to go the easy way to define a new gateway in OPNsense1 that points on the OPNSense3 IP-Adress (where it should use the default routing) Since this is another subnet than directly attached i defined it as "far gateway" - at least that's how it's called in the GUI.
But it seems like there is "no way back" even though all OPNSense know how to reach every IP-Adress.

So my question was:

how do i have to configure the FWs to get the traffic the right way?
Config static routes on OPNSense 1, then 2 and include 3?
i somehow hoped that there is a nicer solution, so that i don't have to configure this routes on every system.
Especially since my routes are dynamic (due to the HA-Setup and multiple ways to a destination)

I hope this clears it up a bit?

if I got the traffic through WAN3 I can easily setup the missing routes for the additional VPN at OPNsense3

hi

Ich merk mir das mit in/out immer so:
IN die Firewall auf dem Interface
und
OUT of the firewall in this Interface
Das Bild hier zeigt es eigentlich auch ganz hübsch:
https://docs.opnsense.org/manual/firewall.html


du hast 2 Möglichkeiten:
entweder
du blockst auf dem VLAN 110 das OUT mit source VLAN 100
oder
du blockst im VLAN 100 das IN mit destination VLAN 110

Sobald du in deinem VLAN100 eine Regel mit any/any etc. hast sagst du der firewall, dass von diesem LAN die Verbindung aufgebaut werden darf. Da die Regeln statefull sind, sollte die 100->110 Verbindung aktviert werden. Der Default sollte allerdings hier dann im IN-Regelfall des VLAN110 blockiert werden - daher ein wenig strange.

Regeln für VLAN 120 / 110 sind dann entsprechend zu setzten (und ggf. die Verbindung ins 110er verbieten)

here's an example

what you have to change:
Interface (your VLAN interface)
Destination / Invert (don't tick it)
Destination (change to any);
Log (i was searching for errors - that's why i ticked it)
Gateway: choose your gateway that will point to your OPNsense at work.

if you don't have an gateway for your remote OP - create one.
1) creat a new interface on your local OP and asign the IPSEC connection
2) restart the connection (because i didn't even get one Interface-assignment of a VPN that will get the IP if the connection is already active)
3) add firewall rules for the new interface according to your needs
4) Go to System -> Gateways -> Single
5) there you should already see a gateway for your new interface - klick on it and enable gateway-monitoring. The IP should either point to the OP at your work (if it answers to ICMP) or something like 8.8.4.4 (or any reachable ip)

Also remember to push/pull/add routes on both sites for VLAN-Tagged LANs etc. (or apply NAT)

[edit]

you are just missing a route on OP1

OP1 doesn't know where it should look for your VPN-Network 172.21.10.0/24
so it tries to connect via the default route (probably your WAN connection)

OP2 does know it, because you have configured it there. (so a local network)

All you have to add is another route on OP1:

172.21.10.0/24 via 172.50.100.20

and now everyone on OP1 knows where it should look for the VPN-network :)


edit
oh... also you need to push your route to the OP1LAN to the VPN, if you don't push all your traffic through the VPN. (if you push 0.0.0.0/0 to your VPN clients, you can ommit this route, because it's already added implicit)
VPN -> OP1-LAN is what was Demusman mentioned.