Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
NAT for inbound IPSec traffic is result in only partial "Pass" rule evaluation
« previous
next »
Print
Pages: [
1
]
Author
Topic: NAT for inbound IPSec traffic is result in only partial "Pass" rule evaluation (Read 2017 times)
radderz
Newbie
Posts: 3
Karma: 0
NAT for inbound IPSec traffic is result in only partial "Pass" rule evaluation
«
on:
February 02, 2021, 10:03:57 pm »
I have a firewall hosted in Azure, and I have IoT device ingress traffic through VTI Tunnels using BGP for the routing.
The Port Forward rules are correctly showing as working, but the firewall is blocking some of the traffic with "Default Deny Rule". This could be either loss of states or an issue with the rules but even with an ANY ANY type rule (just for testing) the devices still show up as blocked on the firewall Log.
I have read a lot through the forums on this but everyone's issues appear different. The devices are on a IPSec tunnel with a total round trip ping time of around 300ms so it's quite high latency. We are seeing most of the traffic go through but the devices are definitely struggling to make and hold a connection.
We are trying to move to OPNSense from a pair of PfSense appliances splitting up the IPSec/BGP roles and the NAT role with the IPSec/BGP Role routing all the device traffic to the other appliance which then processes the NAT which works.
Logged
radderz
Newbie
Posts: 3
Karma: 0
Re: NAT for inbound IPSec traffic is result in only partial "Pass" rule evaluation
«
Reply #1 on:
February 02, 2021, 10:09:27 pm »
Here is a snip from the log, which shows the NAT worked as the internal device IP range of 10.0.32.0/19 traffic is trying to send data to 172.17.0.1:8021 and is showing up as blocked when Port Forwarded to 52.xxx.xx.xx:8021 so I think the port forwarding part is working.
However the routing or the firewall is blocking the traffic or the states are failing or something else is causing the connections to fail rapidly. Since the devices are on high latency connections and send their data quite slowly, the devices fail to keep up with their queued data in real time.
Logged
radderz
Newbie
Posts: 3
Karma: 0
Re: NAT for inbound IPSec traffic is result in only partial "Pass" rule evaluation
«
Reply #2 on:
February 02, 2021, 10:12:21 pm »
I guess the main question here is, do I need a double appliance setup like I have with the PfSense or should this be a supported setup within OPNSense, I moved to OPNSense as it is a newer FreeBSD which is supposed to support NAT on traffic through a VTI tunnel.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
NAT for inbound IPSec traffic is result in only partial "Pass" rule evaluation