Topics - ivica.glavocic

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - ivica.glavocic

Pages1

Virtual private networks / IPSEC site to site tunnel with other side behind NAT

September 30, 2025, 10:00:06 AM

I set up IPSEC site to site tunnel with OPNSense having public IP and NAT-ed Fortigate on the other site.
Fortigate is behind ISP router, its WAN has private IP, all necessary ports are forwarded from ISP router to Fortigate:

OPNSENSE (PUBLIC IP) ---- ISP (PUBLIC IP) --- Fortigate (Private IP)

With other devices, for IPSEC site to site tunnel to work, all it took was to setup remote (FG) ID as it's private IP.
With OPNSense I just can't make it work with same configuration. Log says:

looking for peer configs matching OPNSensePublicIP[%any]...ISPPublicIP[FGprivateIP]
no matching peer config found

What am I doing wrong?

Virtual private networks / OpenVPN firewall group and rules

September 25, 2025, 10:29:00 AM

I created OpenVPN instance and assigned MyOpenVPN interface to ovpns1, set up firewall rules, everything works.

There are still OpenVPN firewall group and OpenVPN firewall rules that I don't need or use.

How can I get rid of those to have clean administration of only things that are really used?

I found info that OpenVPN group is non-removable, can I hide it somehow?

General Discussion / UI - firewall rules

September 18, 2025, 09:25:04 AM

Do you think that UI on firewall editing rules could be enhanced in terms of visibility?

Imo there are 3 important segments of rule: source info, destination info and action info. Grouping or for example different colors of those segments would result in better visibility.

For example, source direction is candidate for advanced screen, when source direction can be out?

For me, sometimes less is more, and visibility is better on less.

Virtual private networks / OpenVPN full and split tunnel on one instance with client override

September 09, 2025, 03:35:09 PM

OPNSense v25.7.2 with OpenVPN server v2.6.14. Full tunnel (Internet trough OPNSense) is configured with Google TOTP and works OK. OpenVPN TUN instance on UDP port 443 with float and persist-remote-ip options is pushing block-outside-dns, register-dns and explicit-exit-notify to clients. Redirect Gateway on instance is set to default. Firewall rules control access to internal resources and Internet correctly.

For some users I would like to set up split tunnel on same OpenVPN instance, so I created client specific overrides with their own network and adequate firewall rules. For those users, access to internal resources works, but Internet is still going trough OPNSense, I cannot get split tunnel for them no matter what option on Redirect Gateway I activate.

Any chance to get split tunnel for specific users trough client specific overrides?

25.1, 25.4 Series / Ports that do not want to be forwarded

July 23, 2025, 09:26:42 AM

On my OPNSense v25.1.11, ports 57776 and 57777 can't be forwarded to internal ports. NAT and related firewall rules are OK, ISP is not blocking them. Netstat did not show anything listening on those ports. Any idea why?

Pages1