BGP -> OpenVPN -> OPNsense -> DMZ

Started by dfwtx, November 06, 2023, 05:03:24 AM

Previous topic - Next topic
I am trying to get OPNsense to route all traffic from DMZ out thru openvpn.  I get the traffic into the DMZ, but it routes thru the default GW of OPNsense.  I have tried many thing: alias, floating rule, DMZ rule, WAN rule (not at the same time) that routes using the gateway of openvpn.  I turned off NAT, as I don't need it I am dealing with all static IPs.  Here is the design I am trying.  My eBGP routes come from  a remote network pushing a /24 ipv4 and  /64 ipv6.  I do iBGP from opnsense or I have even tried with just static routes over openvpn same result.  I assign the public IP both .1 IPv4 and :1 IPv6 to DMZ interface.  I can ping the VM that is inside the DMZ by both ipv4 and ipv6 and it routes back to the eBGP router as it should as long as the traffic is from the eBGP openvpn interface.  But when comes from the eBGP router using public IP range that is routed to the opnsense DMZ the traffic gets to the VM and it replies but the public traffic keeps going thru the default gateway of the opnsense inside of the openvpn.  What is the trick to get this working.  I did this years ago and there was a trick.  I did it a 6 months ago with pfsense and it just worked, so I am confused.  I have spent a week trying to get opnsense to work.  I even reinstall thinking I broke the firewall.  So here is the design:

Note: I don't want it to nat the source address to the interface (yes I know this works).   I need it to pass the assigned public IP that is on the VM as it gets to the eBGP router it will route it out to the Internet with the source of the public IP of the VM and the destination  or the other way around.

Internet -> eBGP <->openvpn <-> OPNsense ->BGP/or static route -> DMZ interface (has public IPs from eBGP routes  or static) -> VM in DMZ with both public IP ipv4 and ipv6). 

VM traffic gets traffic from Internet to the VM, but out goes thru OPNsense default gateway of the ISP not thru the openvpn as it should.

Thanks in advance