[SOLVED] Help needed: Asymmetric Routing

Started by Kornelius777, April 17, 2024, 03:48:58 PM

Previous topic - Next topic
April 17, 2024, 03:48:58 PM Last Edit: April 17, 2024, 04:21:11 PM by Kornelius777
Dear all,

Inside my LAN, there ist a wireguard server (connecting to other sites, of course).
My OPNsense knows about the route.

Now, if I access one of my Cloud Servers (using my PC), the outgoing connection will go via the OPNsense:

laptop:~$ tracepath -n 10.20.50.7
1?: [LOCALHOST]                      pmtu 1412
1:  192.168.150.1                                         1.284ms
1:  192.168.150.1                                         1.047ms             <--- OPNSense
2:  192.168.150.150                                       1.585ms asymm  1    <--- wireguard server LAN Interface
3:  10.20.50.1                                           25.557ms asymm  2
4:  10.20.50.7                                           25.343ms !H
     Resume: pmtu 1412


However, the way back into the LAN does NOT go via the OPNsense:

cloud-server-1:~# tracepath -n 192.168.150.205
1?: [LOCALHOST]                      pmtu 1280
1:  10.20.50.1                                            0.700ms
1:  10.20.50.1                                            0.591ms
2:  10.20.50.3                                           22.306ms      <--- Wireguard Server wg0 Interface
3:  192.168.150.205                                      23.537ms reached
     Resume: pmtu 1280 hops 3 back 3


Since OPNsense doesn't see the incoming traffic, the State Table will close any SSH connection after 15 minutes (Firewall Optimization is set to "conservative"). I call this situation "sub optimal".

Is anybody kind enough to give me a hand?
How can I get around this situation?

Is there a way to tell OPNsense "If traffic is going this way (10.20.50.0/24), never close the connection"?

At the moment, I am a little bit clueless...

Kind regards!

Answering my own question:

mimugmail posted a short but effective answer (https://forum.opnsense.org/index.php?topic=34815.msg168643#msg168643) , saying:
QuoteIn GUI set the filter rule, at the bottom tick advanced, scroll down, "keep state" to none

Indeed, this solved my troubles.

Chapeau! Thank you, mimugmail!

Since stateful filtering is a reasonable setting, why don't you activate keepalive for the SSH connection?

In .ssh/config place:

Host *
  ServerAliveInterval 30
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)