Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Avoid Traffic between IPSec Tunnel
« previous
next »
Print
Pages: [
1
]
Author
Topic: Avoid Traffic between IPSec Tunnel (Read 2114 times)
smooth_81
Newbie
Posts: 6
Karma: 0
Avoid Traffic between IPSec Tunnel
«
on:
November 21, 2019, 01:51:47 pm »
is there a simple way to avoid traffic between S2S-tunnel?
we have a bunch of tunnel all connecting to a central site
VPN Setup ist always like this:
remote Site: 10.32.X.0/24
central Site: 10.0.0.0/8
this is needed because we have several non-continous Networks used in central site like 10.1.0.0/22 and 10.99.0.0/16 or similar
Now i need to restrict traffic only from remote site to central site and not between two remote sites.
Logged
lfirewall1243
Hero Member
Posts: 1386
Karma: 45
Re: Avoid Traffic between IPSec Tunnel
«
Reply #1 on:
November 22, 2019, 06:19:02 pm »
Create a Rule that just allows traffice from the remote Sites to the Networks you want to allow
Logged
(Unoffial Community) OPNsense Telegram Group:
https://t.me/joinchat/0o9JuLUXRFpiNmJk
PM for paid support
smooth_81
Newbie
Posts: 6
Karma: 0
Re: Avoid Traffic between IPSec Tunnel
«
Reply #2 on:
November 28, 2019, 09:12:19 am »
i thougt there was an easier way... Adding 600+ Rules is not the work i wanted to do
where do i implement those rules? On Interface IPSec oder LAN?
Logged
banym
Sr. Member
Posts: 468
Karma: 31
Free Human Being, FreeBSD, Linux and Mac nerd
Re: Avoid Traffic between IPSec Tunnel
«
Reply #3 on:
November 28, 2019, 09:27:35 am »
Hi,
by default there should no traffic be allowed from side 2 side over the central.
The Routing from the remote side shouldn't point into the IPsec Tunnel and the ruleset in the central firewall can be configured as needed.
If you work with ANY to ANY rules, that is not the way you should implement an firewall rule set.
Even with a lot of networks you can organize it quite well using aliases for the networks and only allow the traffic like you want it.
Regards,
Dominik
Logged
Twitter: banym
Mastodon: banym@bsd.network
Blog:
https://www.banym.de
smooth_81
Newbie
Posts: 6
Karma: 0
Re: Avoid Traffic between IPSec Tunnel
«
Reply #4 on:
December 14, 2019, 08:15:15 am »
I know that the Design of the VPN Network is not ideal, but on the other side there are plenty FritzBox Devices which are a paint to configure for vpn.
I can not use multiple phase2 SA for example. And my last test with two separate VPN to the same remote Site but different Phase2 IP networks did not work either
So my only option is to put the whole 10.0.0.0/8 in the Tunnel definition.
On Cisco ASA there is a Option to avoid or allow Traffic returning to the same Interface. Forcing packets to travel through the firewall and routing to a different interface.
I don't know if this is possible with opnsense too.
If a have to implement firewall rules to avoid the traffic between the vpn sites. Where do I have to put them? On Interface IPSec? Or on WAN? Or are these floating Rules?
And how will the performance be impacted with the number of rules counting up?
Even when using Aliases I will have to put around 400 Lines for 200 tunnel and we are still growing with around 600 tunnel in the end.
And we have another project in mind where we would need much more tunnel (will be another opnsense btw)
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Avoid Traffic between IPSec Tunnel