IPSEC tunnel config changes Opnsense host IP in /etc/hosts

Started by minichaz, May 15, 2020, 02:04:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 15, 2020, 02:04:51 AM
Hello. I hope everyone is safe and well at this troubling time. I'm so grateful for the functionality of Opnsense, thank you. :)

So this seems like a weird one to me but I cannot figure out how to stop it happening.

I have a LAN on 10.23.21.0/24 and a routed IPSEC tunnel into Azure. The tunnel IPs are 10.111.1.1 locally and 10.111.1.2 at the Azure end.

Opnsense is configured on the LAN as 10.23.21.1 and of course that's what I'd like opnsense locally to ping.

After adding the IPSEC tunnel recently though I became aware that suddenly the opnsense hostname was resolving to clients on the LAN as 10.111.1.1 (the IP of the local IPSEC tunnel end). Disabling the phase 2 IPSEC configuration returns things to normal.

After fiddling I finally found that the opnsense IP address is being changed in /etc/hosts. This doesn't seem right to me. For now I have used an override in DNSmasq to get local clients resolving opnsense to 10.23.21.1 again but really I'd like to get /ets/hosts back to normal.

Thanks so much and sorry if this is a dumb question or I've missed out something you need to know,
Charlie
May 15, 2020, 02:40:14 PM #1
So to be more precise... the change is happening on reboot. Looking at system.inc I think it probably relates to the order into which the interfaces returned by get_configured_interface_with_descr() are sorted by sort().

Any suggestions for more information I can provide do please let me know.

Charlie
December 21, 2020, 02:32:54 PM #2
I'm digging up this old topic in case anyone else runs into this edge case and finds this thread.

The 2nd line of the /etc/hosts file is generated with the IP address of the first interface when sorting by interface name (so LAN first, then OPTx, then WAN).

I have no LAN interface (only OPT's) and at some point removed OPT1 because it was not being used anymore. OPT2 is my primary "LAN" network. As a result, when I set up Wireguard, the interface was assigned OPT1, so it comes first in the system.inc sort() job mentioned by Charlie above and the Wireguard/VPN IP gets added to the hosts file.

Workaround that worked for me: I temporarily removed the Wireguard interface (you will lose the firewall rules), created a dummy interface that gets assigned opt1, then added back the Wireguard interface (now as opt5).
Print
Go Up Pages1
User actions