Messages

1

Virtual private networks / Re: OpenVPN on Multi-WAN Environment

« on: May 04, 2023, 01:53:35 pm »

I'm resurrecting an old thread because I found a solution for our use case.

In our case, we had created an interface group under Firewall > Groups called WANAll. This allowed us to set firewall rules for our WAN1 and WAN2 interfaces in one place. We created the obligatory rule to allow port 1194 traffic for OpenVPN under WANAll instead of creating two separate firewall rules for WAN1 and WAN2.

The resulting pf rule looked like this:

Code: [Select]

pass in log quick on WANAll inet proto udp from any to (self) port = openvpn keep state label "0667d76bd1b44ab51c4eb85bb052e5e3"
We needed two separate rules, one for each WAN interface. I removed the rule under WANAll and created the rules separately under WAN1 and WAN2. The resulting pf rules look like this.

Code: [Select]

pass in log quick on igb1 reply-to (igb1 104.218.xxx.yyy) inet proto udp from any to (self) port = openvpn keep state label "2d1fd0c4c78f6823e4f74c3f01259251"
pass in log quick on igb2 reply-to (igb2 12.7.xxx.yyy) inet proto udp from any to (self) port = openvpn keep state label "1738df7680cf468ea2a66b684c810f64"
The reply-to clause is important. It tells pf that traffic entering on one interface should exit on the same interface. If the reply-to clause is not there, traffic destined to WAN2 will enter on WAN2 but response traffic will exit WAN1 because WAN1 has the higher-priority gateway (with a lower priority value). This causes an asymmetric routing problem where the response traffic never reaches its destination.