OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of obrienmd »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - obrienmd

Pages: [1]
1
17.7 Legacy Series / IPSec transport won't pass traffic - charon: 07[KNL] received invalid PF_ROUTE
« on: October 11, 2017, 01:02:28 am »
After struggling with zerotier performance, I'm getting back into running routing protocols over GRE, with IPSec in transport mode. I have a pair on 17.7 (no point upgrades) seemingly working fine, but with my boxes on the current 17.7.5 point release, with the same configs, I have a few pairs that get good SAs, SPs, but cannot pass any traffic and show the following in the log whenever a packet tries to go out:

Code: [Select]
charon: 07[KNL] received invalid PF_ROUTE messageSearching for this ^ returns only a reference to the strongswan source code :)

When I ping one WAN IP from another (leaving GRE out entirely), I get:
Code: [Select]
ping: sendto: Permission denied
Does anyone have IPSec transport mode working on 17.7.5?

2
17.7 Legacy Series / GRE over IPSec state issues
« on: October 11, 2017, 12:33:22 am »
Hi all - I was hoping that OPNSense would resolve this issue I've had long-standing on the pfSense side. Essentially, the firewall is unable to properly set states on traffic coming over a GRE that's using an IPSec transport. Here's the pfSense issue:

https://redmine.pfsense.org/issues/4479

Does anyone have stateful firewalling over GRE/IPSec(transport) working? It's possible I'm just missing something simple :)

3
17.7 Legacy Series / Multi-WAN router-originated traffic
« on: August 15, 2017, 12:37:04 am »
Multi-WAN in OpnSense works perfectly, and makes perfect logical sense, from a LAN-originated traffic perspective:
  • Create the group
  • Create a policy router
  • Traffic goes out per the group's configuration depending on gateway health

However, for router-originated traffic (outbound VPN tunnel connections, outbound DNS queries, updates, etc.) failover doesn't seem to work. I recall being able to target router-originated traffic in floating rules in another FreeBSD-based firewall system, but I could be mistaken.

I'm curious about the deprected "Gateway Switching" feature in Firewall > Settings > Advanced. That seems, from my reading, to suggest it would emulate the behavior of lower-end edge devices with Multi-WAN, which just change their system default gateway based on gateway health. In fact, if that's what it does, it removes policy routing as a requirement, which would be nice.

If this feature works like I expect it to, is there a reason it is deprecated? I suppose one question would be how we determine the priority of the gateways, as we'd want it to swap back to the "primary" when it's healthy again.

In my dream world, the default gateway for the system as a whole could be set as a gateway group, but I could be missing something massive.



Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2