How do I keep traffic coming in one gatway from going out the other?

[BasicUser7]

I've got a firewall multiple gateways my ISP - default, and a second gateway - an OpenVPN tun interface (client connecting to a remote server).

I've configured the remote OpenVPN server to forward traffic from it's public IP, through the VPN to my OpnSense box, when then forwards it to an internal server.  Logging and packet captures show that traffic is reaching the internal server.

I've also configured OpnSense policy based routing (firewall rule on the interface for the internal server)and outbound NAT rules so that any traffic originating from the internal server IP address is sent out the OpenVPN gateway rather than the default gateway.  Executing

Code Select Expand

curl https://api.ipify.org/ on the internal server returns the OpenVPN Server's public IP.  8)

So far, this all works as expected. 

My problem is when the internal server responds to traffic coming in from the OpenVPN gateway.  The traffic comes through the gateway and arrives as expected at the internal server, but packet captures show that the response from the internal server is sent back out through the default gateway, rather than going out through the OpenVPN gateway.

Desired
public.yyy.zzz -> OpenVPN server -> OpnSense Vpn Client -> Internal Server -> OpnSense -> OpnSense Vpn Client -> OpenVPN server -> public.yyy.zzz

Actual
public.yyy.zzz -> OpenVPN server -> OpnSense Vpn Client -> Internal Server -> OpnSense -> Default Gateway -> public.yyy.zzz

My understanding is that traffic that arrives on one gateway should automatically be replied to via the same gateway.  What do I need to do to get responses to traffic on the OpenVPN gateway to go back out the same gateway?  Or - why does the default route get used for responses instead of the policy route?

[SerenitysX]

Hey, did you ever resolve this? I am facing the exact problem also.

Best Regards

[Patrick M. Hausen]

My understanding is that traffic that arrives on one gateway should automatically be replied to via the same gateway. 

This is not how routing in IP works at all. All routing decisions are made per packet and solely based on the destination IP address unless some policy routing rules are present. This is a fundamental principle of IP and true across all routing platforms, not just OPNsense.

I agree that there should possibly be an option to apply your policy to the response packets for the incoming request.

I assume you use a port forwarding rule to direct the traffic to your internal server? Could you try using HAproxy instead you have two separate TCP connections instead of NAT? Possibly that works - I honestly don't know but think it's worth a try.