Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - mtm

Pages1
#1
Virtual private networks / OPNsense gateway via IPsec
November 16, 2021, 09:50:06 PM
Hello,

I have a OPNsense firewall (A) where the WAN interface doesn't provide any internet connectivity. The only thing that is possible via WAN is to connect via IPsec to an upstream OPNsense firewall (B). This connection works well and it is possible for the clients on the LAN interface of (A) to reach LAN interfaces on (B). I've actually defined the following ESP tunnels on (A):

ESP IPv4 tunnel    LAN    0.0.0.0/5    AES (128 bits) + SHA512 + 14 (2048 bits)       Upstream (0-7.x.x.x)
ESP IPv4 tunnel    LAN    8.0.0.0/7    AES (128 bits) + SHA512 + 14 (2048 bits)       Upstream (8-9.x.x.x)
ESP IPv4 tunnel    LAN    11.0.0.0/8    AES (128 bits) + SHA512 + 14 (2048 bits)       Upstream (11.x.x.x)
ESP IPv4 tunnel    LAN    12.0.0.0/6    AES (128 bits) + SHA512 + 14 (2048 bits)       Upstream (12-15.x.x.x)
ESP IPv4 tunnel    LAN    16.0.0.0/4    AES (128 bits) + SHA512 + 14 (2048 bits)       Upstream (16-31.x.x.x)
ESP IPv4 tunnel    LAN    32.0.0.0/3    AES (128 bits) + SHA512 + 14 (2048 bits)       Upstream (32-63.x.x.x)
ESP IPv4 tunnel    LAN    64.0.0.0/2    AES (128 bits) + SHA512 + 14 (2048 bits)       Upstream (64-127.x.x.x)
ESP IPv4 tunnel    LAN    128.0.0.0/1    AES (128 bits) + SHA512 + 14 (2048 bits)       Upstream (128.x.x.x)

By doing that, all traffic from the LAN devices to any IP outside if 10.0.0.0/8 is send via the IPsec tunnel.
Now the issue is, that OPNsense (A) doesn't get any internet connectivity.
Is there any way to instruct OPNsense (A) to use OPNsense (B) as internet gateway over the IPsec tunnel?

Thanks!
#2
Virtual private networks / Wireguard site2site routing
October 27, 2021, 09:43:43 PM
Hello all,

I am trying to set up a WG S2S configuration. SiteA is my main OPNsense gateway and siteB shall route all its traffic trough siteA. SiteB has (currently) only one network attached on its LAN side. That's 172.22.2.0/24.
I've added on siteA that network in the endpoint "Allowed IPs". As well as 10.254.253.2/32 which is the WG address.


One note to siteA. The WG interface is not the WAN interface but a LAN (actually a VLAN).

The WG tunnel is up and the handshake is successfully done.

But now, if I want to reach (ping) from siteA e.g. 172.22.2.10 (which is "behind" the WG tunnel) the packages are send out over re1 which is the WAN interface of siteA.
The same is happening for the return packages of pings from 172.22.2.10 to e.g. 172.16.5.1 [which is an IP address of siteA on one of its VLANs] are also send out via re1 (confirmed by "tcpdump -vv -n -i re1 icmp").

netstat -rn -4 does NOT contain any reference of 172.22.2.

I guess therefore the packages are send out via WAN.

Now I am wondering how to get the entry for 172.22.2.0/24 in the "routing table".

Thanks!

#m
Pages1