Messages

1

Virtual private networks / IPsec connection works until first rekey

« on: September 20, 2024, 08:34:51 am »

Hi,
I have a little problem with an IPsec Site2Site connection. The connection works until the first rekey after one hour.
I'm not sure if I read the log correctly but it looks like the rekey works but the other side tries to rekey again 25 seconds later, but with the old SPI.
Unfortunately I don't have access or detailed information about the other side but maybe someone here is able to spot the problem.

2

24.1 Legacy Series / Re: Static route with high packet loss

« on: July 09, 2024, 11:02:21 am »

I tested some more things and I'm some what sure that it must have something to do with the way opnsense handles TCP sessions.

The problem only occurs at clients in the same subnet as the the VPN Getaway. Clients in other subnets (VLANS) are working fine.
So I think opnsense has problems keeping track of the TCP sessions because it only sees the outgoing traffic but not the incoming. (Because the VPN Getaway is in the same subnet and answers clients directly)

I already tried setting "State Type" to none in my firewall policy but the problem is still present.

Also one thing why I think it has something to do with the TCP sessions is, that the first page load succeeds and if I immediately reload the page it ends with lots of timeouts, but if I wait a minute the page reloads perfectly.

3

24.1 Legacy Series / Static route with high packet loss

« on: July 08, 2024, 04:13:14 pm »

Hi,

I have a VPN-Gateway in my LAN Network and I want all clients to be able to use the network behind that VPN Gateway.

So I added a Gateway and a static route in my opnsense firewall.
Ping works fine but I have a huge problem with TCP traffic. It seems that they are a lot of lost packages / re transmissions.
The thing is, when I apply the same static route on a client pc it works flawlessly.

LAN IP OPNsense: 10.10.50.254
IP VPN-Gateway: 10.10.50.200
Subnet behind VPN Gateway: 10.20.0.0/16

Route I use: 10.20.0.0/16 10.10.50.200 LAN

One thing I noticed in the Firewall -> Log Files -> Live View is that there is allowed traffic but also sometimes blocked traffic. Same source local network IP, same destination VPN IP, same ports, same protocol.

4

Virtual private networks / Assigning an interface for WireGuard Site2Site connection not possible?

« on: June 29, 2024, 10:19:54 am »

I'm wondering why I can assign an interface to a RoadWarrior setup and manage firewall rules via this interface, but this doesn't seem to work with a Site2Site connection? I can assign an interface, but then the tunnel doesn't even cum up anymore.

5

Virtual private networks / How to set outbound gateway for WireGuard

« on: June 28, 2024, 11:59:23 pm »

Hi everyone,

I have multiple WAN connections and WireGuard should not use the default one. How can I set a specific gateway for WireGuard to use or even better a WAN group?

My WireGuard instance is the "client" of an site-2-site connection.