Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Issues with routing to diffrent Subnet [solved]
« previous
next »
Print
Pages: [
1
]
Author
Topic: Issues with routing to diffrent Subnet [solved] (Read 1293 times)
WilliDriver
Newbie
Posts: 5
Karma: 0
Issues with routing to diffrent Subnet [solved]
«
on:
February 08, 2024, 09:28:40 pm »
Hello,
Around two weeks ago a issue occure for me, i have been unable to fix. At the time there were no changes made, that I'm aware of.
I have my local OPNSense Maschine (now running 24.1, but issue also occured on 23.7) configured to subnet 192.168.5.0/24. And i have a wireguard network, which has a vps as a "master". This has the subnet 192.168.6.0/24 with .1 being said vps. It is reachable via a gateway on 192.168.5.21, which is a debian Maschine.
If i now try to access a web server on the VPS it works flawlesly. However if i try accessing a local webserver from the vps, opnsense appears to block it. Pings go through both ways no issues. So i tried creating a rule for this traffic but im am unable to make it work.
I have tried many combinations, but none ended up working. I have attatched pictures.
I hope sb. can tell my what i am doing wrong. Feel free to ask questions, about details since i am still a beginner.
«
Last Edit: February 10, 2024, 10:24:23 pm by WilliDriver
»
Logged
LOTRouter
Newbie
Posts: 38
Karma: 3
Re: Issues with routing to diffrent Subnet
«
Reply #1 on:
February 08, 2024, 10:24:14 pm »
Why are you creating an out rule? Stateful firewalls like OPNsense work best with all rules as in rules.
Logged
Topton 4 x i225-v (Core i5-1135G7 * 32GB * 512SSD)
Xfinity Gigabit (1.2G Down * 200M Up)
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Issues with routing to diffrent Subnet
«
Reply #2 on:
February 08, 2024, 10:37:27 pm »
Hi,
sounds like an issue with assymetric routing. Assymetric routing happens if traffic is sent and received via different gateways. You could verify that with a packet capture and have a look at the mac adresses coming in on the LAN interfaces for packets towards 192.168.6.x.
Did you create a routing table entry to route traffic to 192.168.6./24 via the gateway 192.168.5.21?
Did you set the default gateway for IPv4 on interface WAN (interface settings) to Auto-Detect?
The state validation rule indicates that you want to acknowledge a syn request without having received the matching syn request before. So chances are that 192.168.5.21 sent it to you directly while your Opnsense doesn't know what to do with it.
A more clean and reliable setup - if not terminating the wireguard on OPNsense directly - is to set up a transfer LAN from OPNSense to your wireguard gateway. Then assymetric routing cannot happen and routes and rules are the only thing to take care of.
Logged
WilliDriver
Newbie
Posts: 5
Karma: 0
Re: Issues with routing to diffrent Subnet
«
Reply #3 on:
February 09, 2024, 09:48:23 pm »
I am not aware, that i created an out rule, since it says in. Or am I getting it wrong?
Yes, there was a route created, with the same importance as the default gateways.
I think the default gateway is auto detected.
It could be, do yoiu know why the computer could be responding towards opnsense, despite the request coming from the gateway?
I'll try to make a seperate network for wireguard, sounds good. This was just how i found the guides on the internet.
I'd also be happy to make the opnsense Maschine a wg-client, but the wg package always claims its not maintained or similar.
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Issues with routing to diffrent Subnet
«
Reply #4 on:
February 10, 2024, 06:27:06 pm »
While a separate transfer net will save you a lot of pain, you could verify the assumption of assymetric routing. That happens as the wg router is in you LAN segment and accesses the target in LAN directly. But the target sends its data to its default gateway and you end up in the wrong place.
Did you configure routes / gateway for the wireguard router? I think I missed this to ask in the first post
Logged
WilliDriver
Newbie
Posts: 5
Karma: 0
Re: Issues with routing to diffrent Subnet
«
Reply #5 on:
February 10, 2024, 06:44:47 pm »
I think it's that asymetric routing, causing my issue. Ill try and do a seperate network for it, unless there is a seperate way of getting wireguard in opnsene.
Yes, threre is a gateway configured and routes to it as well, with the same priority as the wan gateways.
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Issues with routing to diffrent Subnet
«
Reply #6 on:
February 10, 2024, 08:05:41 pm »
Well, you could define OPNsense as a wireguard endpoint.
BTW, I had a similar issue (another router in a segment). I got it solved:
https://forum.opnsense.org/index.php?topic=36744.msg179565#msg179565
- but also went with another transfer segment.
Logged
WilliDriver
Newbie
Posts: 5
Karma: 0
Re: Issues with routing to diffrent Subnet
«
Reply #7 on:
February 10, 2024, 10:23:57 pm »
I have now just made my opnsense box the wireguard gateway, after i discovered, that wireguard package is no longer needed, since it's part of the Kernel.
This has solved the issue. Thanks very much for your time and effort. It was just me being inexperienced.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Issues with routing to diffrent Subnet [solved]