Mysterious "sendto: Permission denied"

Started by GaardenZwerch, February 16, 2022, 11:49:24 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 16, 2022, 11:49:24 AM
Hi,
I have a weird behaviour somehow related to source NAT an route-based IPsec tunnels:

Networks A and B are behind an OPNsense Box (22.1) and should access to resources through a Tunnel.

Network B should be NATted as Network A for this. The NAT itself works.

  • I can see the packets leaving through ipsec<X>
  • I can see that the source has been correctly replaced with an address from Network A
  • Packets really originating from Network A reach the other side
  • when I try to generate traffic on the firewall itself (*), i get sendto: Permission denied
    errors
  • when I temporarily pfctl -d packets reach the other side
  • when I remove the outgoing NAT rule, packets reach the other side, with the undesired source addess

I can't see anything related in pflog, even if I enable logging in the 'permit' rule.

How do I figure out what causes the 'permission denied'? IDS/IPS is disabled.

Thanks a lot,
Frank

(*) either using ping -S Network-A-Addres, or using nc -vz -s
February 16, 2022, 05:51:23 PM #1
Firewall : Settings : Advanced : Disable Force Gateway ticked?
February 17, 2022, 02:22:51 PM #2
Hello,
yes I tried both with and without this option.
Any other ideas?
Thanks,
February 17, 2022, 02:48:25 PM #3
Hm, I always was under the impression that SNAT doesn't work with route-based tunnels .. was this also working with 21.7?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
February 22, 2022, 01:14:07 PM #4
Hi,
no this didn't work with earlier releases AFAIK.
I remember trying to to SNAT before route-based IPSec before on a different site, but I ended up with a different solution as I couldn't get it to work.
March 31, 2022, 01:06:29 PM #5
Quote from: mimugmail on February 17, 2022, 02:48:25 PM
Hm, I always was under the impression that SNAT doesn't work with route-based tunnels .. was this also working with 21.7?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
Hi Michael,
does this make sense:
Code Select

sysctl net.enc.out.ipsec_filter_mask=0
sysctl net.enc.in.ipsec_filter_mask=0
sysctl net.enc.out.ipsec_bpf_mask=0
sysctl net.enc.in.ipsec_bpf_mask=0
sysctl net.inet.ipsec.filtertunnel=1
sysctl net.inet.ipsec6.filtertunnel=1

(found here https://www.reddit.com/r/OPNsenseFirewall/comments/ts86eh/ipsec_gateway_as_upstream_gateway/ )
April 01, 2022, 07:07:38 AM #6
I wrote about these values in the official FreeBSD bugtracker issue and was warned that when you mix routebased and legacy, one of them will break :/
April 13, 2024, 11:46:18 PM #7
Quote from: GaardenZwerch on February 16, 2022, 11:49:24 AM
Hi,
I have a weird behaviour somehow related to source NAT an route-based IPsec tunnels:
..

Maybe a block/reject rule at last position with Direction=out?
Print
Go Up Pages1
User actions