Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Voix

Pages1
#1
General Discussion / Tailscale w multiple exit nodes
December 07, 2024, 10:19:36 PM
Hello,

Could you pls tell if it is possible to have multiple Tailscale exit nodes and route traffic on OPNSense via PBR?

Tried to achieve this, but it didn't work since ASA I use --exit-node=.... all the traffic is routed through that node regardless on what GWs rules point to.
#2
24.7, 24.10 Legacy Series / Re: Source IP is always changing to OPNSense's interface
October 18, 2024, 07:39:54 PM
Thank you!

It actually helped to find the issue.
The problem was not in the OPNSense at all :)
#3
24.7, 24.10 Legacy Series / Re: Source IP is always changing to OPNSense's interface
October 18, 2024, 07:24:36 PM
Did it, the lines disappeared from the output above, but didn't help: still see RTR's IP by 'w'
#4
24.7, 24.10 Legacy Series / Re: Source IP is always changing to OPNSense's interface
October 18, 2024, 07:11:45 PM
vlan5 - Vlan on DMZ
vlan10 - To ISP (different port)
igc0 - LAN

Code Select

# pfctl -s nat
nat-anchor "miniupnpd" all
no nat proto carp all
nat on tailscale0 inet from <SiteAnet> to any -> (tailscale0:0) port 1024:65535
nat on vlan0.10 inet from <ocserv_clients> to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from <SiteBnet> to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (igc0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (lo0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (wg0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (vlan05:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from 127.0.0.0/8 to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (igc0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (lo0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (wg0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (vlan05:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from 127.0.0.0/8 to any -> (vlan0.10:0) port 1024:65535
no rdr proto carp all
no rdr on igc0 proto tcp from any to (igc0) port = ssh
no rdr on igc0 proto tcp from any to (igc0) port = http
no rdr on igc0 proto tcp from any to (igc0) port = https
rdr-anchor "miniupnpd" all
binat-anchor "miniupnpd" all


I can't see smth fishy here
#5
24.7, 24.10 Legacy Series / Re: Source IP is always changing to OPNSense's interface
October 18, 2024, 06:55:22 PM
No, GWs are only in Internet and in tailscale interfaces.
#6
24.7, 24.10 Legacy Series / Source IP is always changing to OPNSense's interface
October 18, 2024, 06:50:56 PM
Hi all,

I have the opnsense v.24.7.6 with Internet, LAN and DMZ (with vlan) interfaces.
LAN IP: 10.1.1.0/24
DMZ IP: 10.1.2.0/24

When I reach out the server in DMZ with ssh and issue "w" command, it shows address of router's DMZ interface  (10.1.2.1), but not my computer's IP.

At the same time I have no NAT between these interfaces.
"Firewall: NAT: Outbound" is set to Hybrid outbound NA, but there are only rules for Internet interface.

Could you please advise, what could be the reason of the issue?
Pages1