Topics

1

General Discussion / Ping from firewall over IPSEC

« on: January 10, 2019, 12:17:13 pm »

I have a functioning IPSEC-tunnel up running on an OPNsense 17.7.4, and traffic between machines on either side is running perfectly.

I want to use an LDAP-server on the remote side of the IPSEC tunnel for authentication (for incoming openvpn roadwarrior clients). When I try to set this up as a server in OPNsense menu, there is no response from LDAP server. I then tried to ping the server from the OPNsense - no reply.
Doing ping or LDAP from any client on the LAN-side of the OPENsense - works fine.

What on earth could I be missing ??

2

General Discussion / One-to-one NAT or just port forwarding

« on: October 03, 2017, 09:30:29 pm »

I have seen variations of this question, but I really cannot see that hey have been answered to a degree that I can understand how to set it up.

I have a /27 of public addresses say 199.199.199.34 .. .62
On the inside I use 10.10.10.0/24.

I have some servers running on the inside, and need to expose various ports on public IPs.
First off ; am I better off using Port forwarding, or one-to-one NAT and fw-rules ?
It seemed the port forwarding worked fine until I had 3-4 rules with some of the same ports (but on different public IPs of course) - then it just didnt work like I thought.

If I need to use one-to-one NAT - can someone please give me a blow-by-blow ? I cannot wrap my head around it.

3

General Discussion / Is Proxy ARP the solution..?

« on: September 30, 2017, 01:03:33 pm »

Current firewall is getting old, and I am planning to switch it with a computer running OpnSense.
I have one issue that I cannot seem to find an answer to ;
Our LAN is 10.10.11.0/24 and we are connected to a service we use through IPSEC, and the remote network is 10.1.1.0/24.

Here is the snag : the old Sonicwall set aside a few addresses in the LAN-segment for road-warriors connecting with SSL-VPN - and the remote network only knows that 10.10.11.0/24 is available though the tunnel.
I want to use OpenVPN road warrior setup, but the setup requires a separate (virtual?) subnet for these connections - meaning roadwarriors will have addresses outside of the LAN. If I can't change or add the routing on the remote side - how can I either ;
a) assign roadwarriors IPs from the LAN-segment (ideally using DHCP-relay to another server) ?
b) make traffic from roadwarriors seem like it comes from LAN-IPs when they in fact do not.

My instinct tells me to look closer at ProxyARP, but I am not sure, and I cannot seem to find thorough docs on the subject.

Does anyone have ideas as to the solution, and does anyone know some good examples and documentation for proxy-arp ?

========
Alf