Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
[Solved] Blocking some website's responses over IPsec Site-to-Site
« previous
next »
Print
Pages: [
1
]
Author
Topic: [Solved] Blocking some website's responses over IPsec Site-to-Site (Read 1327 times)
Wyrrrd
Newbie
Posts: 2
Karma: 0
[Solved] Blocking some website's responses over IPsec Site-to-Site
«
on:
August 04, 2021, 02:32:38 pm »
I am setting up a site-to-site IPsec between two OPNsense machines (21.7) and want to access the internet from a client in the LAN of A, while the internet access is located on B.
I followed the configuration tutorial at
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html
to establish the IPsec tunnel. For ease of use, I configured a rule on both machines' "IPsec" interface to allow everything inbound. A has a default route via the tunnel address of B, B has a route to LAN of A via tunnel address of A and a default route via the internet router. (Obviously, the tunnel addresses are configured gateways, as stated in above tutorial.)
On A, I put a rule allowing access from LAN of A to all non-private IPs. The same is configured on B for LAN of B.
What bugs me now, is that I can only reach some, but not all websites from a client LAN of A (while all are accessible when I try connecting from A itself, so IPsec seems to work fine). The firewall log of A reports the requests passing, but the responses being blocked by "Default deny rule", completely ignoring my any-rule.
I cannot understand how google.com does not pass, but facebook.com does. Something must be different for those sites to be handled differently, but I cannot find the cause...
«
Last Edit: August 26, 2021, 05:40:02 pm by Wyrrrd
»
Logged
Wyrrrd
Newbie
Posts: 2
Karma: 0
Re: Blocking some website's responses over IPsec Site-to-Site
«
Reply #1 on:
August 26, 2021, 05:39:28 pm »
https://github.com/opnsense/core/issues/5156
Turns out it was a fragmentation error. Setting MSS to 1300 (and a corresponding MTU of 1340) on LAN-interface solved it.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
[Solved] Blocking some website's responses over IPsec Site-to-Site