1
18.1 Legacy Series / Weird routing / gateway problem
« on: July 09, 2018, 12:47:03 pm »
I have two servers connected with a slow, but secure tinc bridge and a fast, but unencrypted VXLAN link.
Both servers have a OPNsense VM running.
I want to send specific traffic over the VXLAN and everything else over the tinc link. Because of stupid software design I cannot use separate IP addresses for this (that would be easy), I have to change routing depending on the packet.
I have created a firewall rule on the LAN telling OPNsense to use the 172.16.4.2 as gateway for packets with a destination port 444.
This works. Packets appear on the OPN2 VXLAN interface with correct source and port. But the connection does not work.
What's weird is that OPN2 shows this in the firewall log:
nterface Time Source Destination Proto Label
LAN Jul 9 12:39:05 10.8.0.1:64796 10.8.0.2:444 tcp let out anything from firewall host itself
VLAN Jul 9 12:39:05 10.8.0.1:64796 10.8.0.2:444 tcp USER_RULE
Why from the firewall host itself? It's clearly from another machine. Does OPNsense / pf get confused because the packets arrive at the "wrong" interface?
There are no drop log entries anywhere...
Both servers have a OPNsense VM running.
I want to send specific traffic over the VXLAN and everything else over the tinc link. Because of stupid software design I cannot use separate IP addresses for this (that would be easy), I have to change routing depending on the packet.
Code: [Select]
[SRV1] 10.8.0.1 --- 10.8.0.241 [OPN1] 172.16.4.1 --- VXLAN --- 172.16.4.2 [OPN2] 10.8.0.242 --- 10.8.0.2 [SRV2]
\ /
------------------------------------------- tinc bridged to LAN ---------------------------------------
I have created a firewall rule on the LAN telling OPNsense to use the 172.16.4.2 as gateway for packets with a destination port 444.
This works. Packets appear on the OPN2 VXLAN interface with correct source and port. But the connection does not work.
What's weird is that OPN2 shows this in the firewall log:
nterface Time Source Destination Proto Label
LAN Jul 9 12:39:05 10.8.0.1:64796 10.8.0.2:444 tcp let out anything from firewall host itself
VLAN Jul 9 12:39:05 10.8.0.1:64796 10.8.0.2:444 tcp USER_RULE
Why from the firewall host itself? It's clearly from another machine. Does OPNsense / pf get confused because the packets arrive at the "wrong" interface?
There are no drop log entries anywhere...