Messages

1

General Discussion / Re: Site-to-site VPN - no SNAT - firewall deny

« on: November 13, 2024, 04:28:03 pm »

I solved it. For future reference - I had to set Static route filtering - Bypass firewall rules for traffic on the same interface - True

2

General Discussion / Site-to-site VPN - no SNAT - firewall deny

« on: November 13, 2024, 03:01:32 pm »

Hi,

I have two networks. Site A - 192.168.0.0/24 and Site B - 192.168.10.0/24

On site B I run OPNSense firewall as ingress point. At both sites, I have Tailscale subnet routers on Linux devices with SNAT subnet routes set to false.

From Site B, I can access all devices under 192.168.0.x IP. No problem there. However, it stops working when I try to go the other way around. I can ping from Site A to Site B, but TCP connections get dropped at OPNSense firewall at Site B.

Site B: Subnet router 192.168.10.3, Gateway (OPNSense) 192.168.10.1

To deal with static routes, I created a gateway Tailscale_GW with IP 192.168.10.3 and set routes for networks 192.168.0.0 and 100.64.0.0 (Tailscale).

I added rules to Firewall : Rules : LAN and NAT Outbound as per Attachments

Every time a reverse proxy located at 192.168.0.20 tries to reach Docker container at 192.168.10.10, firewall denies the connection with Default deny / state violation rule.

I'd appreciate any ideas.