Gateway in Subnet

Started by unsumplex, October 05, 2020, 11:19:23 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 05, 2020, 11:19:23 AM
Good morning eveybody.

I am trying to connect two networks trough a static route which is established via openvpn.
The Gateway creating the vpn tunnel is in the "LAN" network, and gets like the other devices trough dhcp an ip address (mac bound) and uses the opnsense as gateway. The OPNsense has a static route to 192.168.30.0/24 via 192.168.10.30
Now I am able to connect to and reach all devices on one side of the tunnel, but the other side does not.



E.g. if I try to send an http request from the device "computer" to "server 1" it will timeout.
However, if I first send an echo request from "computer" to "server 1" it will work fine and for a small amount of time, maybe 3-5 minutes, I am able to successfully send the desired http request.

From the 192.168.10.0 network I am able to access devices in the 192.168.30.0 network without problems.

Is it possible that the opnsense forwarding the packets back to the subnet they came from to gateway 1 is the problem? But still why do all echo requests work and other connections don't?

Has someone an Idea or maybe experienced same or identical issues?
October 05, 2020, 04:31:24 PM #1
So I have been working with packet capture on the opnsense and tcpdump on the server.
It seems the request gets trough to the server and the server replies too. However the reply never reaches the client and a lot of retransmission start occurring. Once I ping the server a "redirect for host" is listed in the packed capture and from that point on every connection will successfully establish to the server for some minutes. These connections then are directly sent to Gateway 1 instead to the opnsense.

Why is the static route only working for the icmp requests?
October 06, 2020, 03:50:52 AM #2
look up ICMP redirects. your OPNsense box is probably telling the "Server" hosts "hey, you don't need to talk to me, you can talk to this other router directly."

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-icmp-redirect-messages.html
October 06, 2020, 10:26:58 AM #3
Quote from: ZPrime on October 06, 2020, 03:50:52 AM
look up ICMP redirects. your OPNsense box is probably telling the "Server" hosts "hey, you don't need to talk to me, you can talk to this other router directly."

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-icmp-redirect-messages.html

Thank you, I now understand why it works after the echo request.
But I still don't get why the opnsense only reacts to these echo requests and not other requests like http.
Shouldn't these icmp redirect also occure on other protocols?
Print
Go Up Pages1
User actions