"
I solved it. For future reference - I had to set Static route filtering - Bypass firewall rules for traffic on the same interface - True
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: Site-to-site VPN - no SNAT - firewall deny
November 13, 2024, 04:28:03 PM #2
General Discussion / Site-to-site VPN - no SNAT - firewall deny
November 13, 2024, 03:01:32 PM
Hi,
I have two networks. Site A - 192.168.0.0/24 and Site B - 192.168.10.0/24
On site B I run OPNSense firewall as ingress point. At both sites, I have Tailscale subnet routers on Linux devices with SNAT subnet routes set to false.
From Site B, I can access all devices under 192.168.0.x IP. No problem there. However, it stops working when I try to go the other way around. I can ping from Site A to Site B, but TCP connections get dropped at OPNSense firewall at Site B.
Site B: Subnet router 192.168.10.3, Gateway (OPNSense) 192.168.10.1
To deal with static routes, I created a gateway Tailscale_GW with IP 192.168.10.3 and set routes for networks 192.168.0.0 and 100.64.0.0 (Tailscale).
I added rules to Firewall : Rules : LAN and NAT Outbound as per Attachments
Every time a reverse proxy located at 192.168.0.20 tries to reach Docker container at 192.168.10.10, firewall denies the connection with Default deny / state violation rule.
I'd appreciate any ideas.
I have two networks. Site A - 192.168.0.0/24 and Site B - 192.168.10.0/24
On site B I run OPNSense firewall as ingress point. At both sites, I have Tailscale subnet routers on Linux devices with SNAT subnet routes set to false.
From Site B, I can access all devices under 192.168.0.x IP. No problem there. However, it stops working when I try to go the other way around. I can ping from Site A to Site B, but TCP connections get dropped at OPNSense firewall at Site B.
Site B: Subnet router 192.168.10.3, Gateway (OPNSense) 192.168.10.1
To deal with static routes, I created a gateway Tailscale_GW with IP 192.168.10.3 and set routes for networks 192.168.0.0 and 100.64.0.0 (Tailscale).
I added rules to Firewall : Rules : LAN and NAT Outbound as per Attachments
Every time a reverse proxy located at 192.168.0.20 tries to reach Docker container at 192.168.10.10, firewall denies the connection with Default deny / state violation rule.
I'd appreciate any ideas.
Pages1
