Inverse rules don't seem to be working...

[Callahan]

Or at least, not working the way I'd expect them to... :)

Basic setup

• 2 OPNSense FWs at either end of a site to site VPN tunnel.
• VPN tunnel is up and running, traffic routing without issue.
• FW 1 has 3 GWs, the LAN, the WAN and an OpenVPN client GW used for IPVanish traffic on hosts defined in an alias.
• FW 2 has a standard setup, 2 GWs - LAN and WAN.
• FW 1 curently has a simple rule:

Code Select Expand

IPv4 * LAN net * * * * * Default allow LAN to any rule

• FW 2 has a simple IPsec FW rule that allows all traffic in to local LAN:

Code Select Expand

IPv4 * * * LAN net * * * Allow to LAN

I want to adjust this rule to prevent everything on the LAN of FW 1 from accessing everything on the remote VPN network. I understand that the standard way of doing this is with IPsec rules at the other end of the tunnel. My question is, what if the far end of the tunnel has an IPsec rule that allowed anything on the tunnel to their local LAN (as above), so I am forced to control the flow of my LAN traffic on FW 1? My expectation was that I could use an inverse rule so something like this:

Code Select Expand

IPv4 * LAN net * ! IPsec net * * * Default allow LAN to any rule

However, this has no effect. Any device on my LAN can still ping any device on the other end of the tunnel. Again, I understand that the normal way of doing this is a rule at the far end but if I have no control over that FW's rules, I'm forced to control traffic at the source.
On every other FW I've used, inverse rules work as you'd expect them to. So essentially, the above says, allow anything from my LAN to anywhere it wants to go except the IPsec network(s).

What am I missing?

[Callahan]

So it appears that the issue is the default gateway (or more specifically my lack of understanding about what OPNsense considers the "default" gateway).

Changing the LAN rules on FW 1 to the following has the desired affect (I've added my Mac in there for testing purposes)...

Code Select Expand

Protocol Source Port Destination Port Gateway Schedule Description
IPv4 * H_Macbook  * *         * *         * test
IPv4 * LAN net * ! IPsec net * WAN_DHCP * Default allow LAN to any rule

I assumed that OPNsense took the priority of the gateways and the lowest of those gateways was assigned as the default gateway. If that is the case, my gateways are set up as below:

Code Select Expand

Name Interface Proto Priority Gateway Status
WAN_DHCP6 (active)         WAN IPv6 254 Online
WAN_DHCP (active)         WAN IPv4 254 X.X.X.X Online
IPVANISH_VPN_VPNV6         IP_VAN_VPN IPv6 255 Pending
IPVANISH_VPN_VPNV4         IP_VAN_VPN      IPv4 255 X.X.X.X Online

So based on the fact that the main WAN gateway has the lowest priority, my assumption was that using the default gateway option in the original LAN rule should route the traffic through the normal WAN gateway so why do I have to specify it explicity to make this rule work?

[Callahan]

Ok so I'm clearly not understanding some intrical part of this setup. Why does changing the LAN rule to this (specifying the IPsec net as the destination):

Code Select Expand

Protocol Source Port Destination Port Gateway Schedule Description
IPv4 * H_Macbook * IPsec net * *         * Allow specific host to IPsec n/w

cause me to be unable to ping hosts on the other end of the tunnel? Why can I only get to them when I make the rule massively permissive?
What does IPsec net represent as a destination? My (I think natural) assumption here is that it's any hosts on the end of any IPsec tunnels. Clearly though that's not the case so if anyone wants to enlighten me on this one, as well as how OPNSense chooses it's default gateway, I'd be grateful :)