Messages

Hello!
I have the following topology:

VPS (iptables) <‑‑ IPSec VTI <‑‑ OPNsense <‑‑ WebServer
3.3.3.3 | [10.64.0.2/30 <‑‑ 10.64.0.1/30] | 2.2.2.2 <‑‑ 192.168.100.4

• 3.3.3.3 – public IP address of the VPS.
• 2.2.2.2 – public IP address of the OPNsense box.
• 10.64.0.0/30 – address space used for the IPSec VTI tunnel.
• 10.64.0.2 is advertised as the gateway on the tunnel side of OPNsense.

The tunnel is up and functioning.

When an inbound packet arrives from the VPS side, I can see it reach OPNsense and then be delivered to the WebServer (TCP SYN). However, the client never receives a reply.

What I have tried:

1) Policy‑Based Routing (PBR) on the WebServer's network – set 192.168.100.4 to use ipsecX(10.64.0.2) as the next‑hop. Traceroute shows the traffic follows the expected path.
2) Reply‑to rule on enc0 (the IPSec interface) – added reply‑to ipsecX(10.64.0.2) in the allow rules. (src: any, src_port: any, dst: 192.168.100.4, dst_port: 443, reply_to: ipsecX(10.64.0.2).
tcpdump on enc0 shows the outbound traffic attempting to go to the client (192.168.100.4 → client IP). No return traffic is observed on the opposite side of the tunnel. The VPS has IP forwarding enabled, NAT configured to its public IP, and port‑forwarding rules in place. There are no firewall rules that would block the traffic.

Observation: If I add a static route on OPNsense such as client‑IP/32 → 10.64.0.2, the communication works immediately.

Question: Any ideas why the reply traffic does not traverse the tunnel without the explicit host route? Could my reply‑to configuration be incorrect?

so, I'm trying start iperf with udp, (iperf3 -c server.behind.tunnel -u -b 120M) and get 120Mbit\s (of course with losses, its UDP). But I don't understand yet, where do I need to set MSS? In the firewall settings (normalization) or on the gates with GRE? or both (OPNsense with GRE, OPNsense with NAT GRE and Cisco with GRE)?

Good idea. But, it is globally, right? On GRE sites (cisco\opnsense mtu set to 1476)
From here, I have next question - where natting GRE, we decrement MTU?

Hello, guys. I really hope that there are experts among you.
I have next setup:
First site:
OPNsense edge gate\fw (ISP public ip, for example 1.1.1.1) (DMZ ip: for example 10.1.1.1)
Cisco Router in DMZ with tunnels (GRE) interfaces: 10.1.1.2

Second site:
OPNsense edge gate\fw (ISP public ip, for example: 2.2.2.2)

I have working GRE tunnel by scheme:
S2 OPNSense -> MyOPNSense ->  (NAT GRE) -> Cisco
by this scheme I have ~60-80mbit troughpout
Today, for testing I made GRE tunnel in local network (vm to cisco), and I get over 600mbit!
Maybe, in OPNsense have settings for GRE over NAT? Because it's very strange.
What can bottleneck?

Ex configs:
Cisco:
interface ga0/0 - ip address 10.1.1.2/24 (DMZ)
interface Tunnel2
(GRE) ip address 10.0.91.1/30
(GRE) tunnel source 10.1.1.2
(GRE) tunnel destination 2.2.2.2

S2 OPNsense:
em0 (WAN, public ISP, anyway...) - ip: 2.2.2.2
gre0:
source - 2.2.2.2
destination - 1.1.1.1
gre local 10.0.91.2/30

If need, I can provide more info
And sorry for my bad english

Hello, folks

I see in mans that NAT reflection works only for directly attached networks.

I have next scheme:
OPNsense gate, watching to WAN network and have LAN network (10.1.1.0/24).
Cisco gate, one port attached to 10.1.1.0/24 and hame self networks (172.16.1.0/24 etc)

with nat reflection I perfectly can connect to WAN_IP:80/443 etc from any host 10.1.1.0/24
but from remote local net (ex. 172.16.3.0/24) I cant reach WAN_IP.

What manual rule I must create in outbound NAT?