Topics

1

17.1 Legacy Series / How do I know what gateway the traffic is using?

« on: April 26, 2017, 08:02:32 am »

So; I have set up the FW for a basic two interface setup. WAN and LAN and adding an OpenVPN client setup to VPN Provider.

Created rules in the LAN for 53/80/443 to push via OPT4_VPN4 (vpn intrerface) and another rule under that with * to WAN_DHCP.

Added nat rules for the LAN network to the opt4 as well as the WAN one.

So: Basic - IT works. all 80 /443 traffic is pushed out the vpn and using "whats-my-ip" reveals the proper VPN ip that i use.

Now comes the harder part. So, father of 3 - Online Gaming requires low latency - something that VPN providers MIGHT not be the best solution for. Hence the * rule.

BUT - how can I verify that the other traffic is using the proper WAN_DHCP and not the OPT4_VPN4

/C/

2

17.1 Legacy Series / SUGGESTION - NAT log

« on: March 27, 2017, 05:06:34 pm »

Running:
OPNsense 17.1.3-amd64
FreeBSD 11.0-RELEASE-p8
OpenSSL 1.0.2k 26 Jan 2017
On VMware.

I've enabled on ALL (Manual outbound NAT rule generation) my NAT rules the log option.

Likewise on the FW rules in question. LOG log and LOG.

So on the Firewall -> Log Files -> Normal View

I see two rows (For this example DNS query):

Accept - OUT - WAN - WANIP:19763 - 8.8.8.8:53
Accept - IN - LAN - 10.0.0.1:36546 - 8.8.8.8:53

So, my dilemma. When troubleshooting NAT - searching for the LAN IP  -Shows only the last entry. and not when the traffic is leaving the FW. Now in this setup/demo. Only one NAT rule. However, I have more interfaces that is being used for NAT. "OpenVPN Clients FTW!" - Making it cumbersome to diagnose and troubleshoot NAT.

Suggestion:

Add to outlog (10.0.0.1:36546) if natted exit.  SO log would look like:

Accept - OUT - WAN - WANIP:19763 (10.0.0.1:36546) - 8.8.8.8:53

Easy visibility both NAT rule is working AND Ruleset is allowing the traffic. Maybe even #index of the rule it matches?

Or is this already in here somewhere - I'm just missing an toggle?

Br, Christian