Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Public IP range via a tunnel
« previous
next »
Print
Pages: [
1
]
Author
Topic: Public IP range via a tunnel (Read 5426 times)
mxz
Newbie
Posts: 4
Karma: 0
Public IP range via a tunnel
«
on:
March 06, 2020, 04:45:16 am »
Hi,
I've only recently started using opnsense, but so far I'm super happy with it, it just works!
The issue I am having though is kinda interesting. I have a single WAN connection with the usual DHCP setup but I also have a small range of public IP addresses that get delivered to me over a tunnel. I have that range set up on its own internal interface (let's call it LAN2), and that seems to work well. From my LAN and from the other end of the tunnel, everything talks happily and mostly just works.
The problem though is when I get a request from the Internet at large. This comes over the tunnel, and the device on LAN2 receives it and responds but the response never makes it back to the sender. I believe it's because it's using the main Internet connection to route the traffic rather than sending it back down the tunnel. I tried creating a gateway for the IP at the other end of the tunnel, but I can't get it to work for my use case. If I allow incoming traffic on the tunnel interface and set the gateway to use the new tunnel gateway, the packets never make it to LAN2. I've tried splitting out the rules so that there's no "reply to" rule in the hope that I could approve the incoming traffic over the tunnel, but then explicitly allow incoming traffic from LAN2 and make it use the tunnel gateway, but alas that didn't work either.
So my question really is, what am I doing wrong? I can make this work easily in Linux by using multiple routing tables and doing policy based routing on the source IP but I don't think that's an approach that works with FreeBSD based stuff.
Can anyone give me any pointers?
Thanks in advance!
Logged
optic
Newbie
Posts: 21
Karma: 3
Re: Public IP range via a tunnel
«
Reply #1 on:
March 06, 2020, 07:36:28 am »
Hi,
there is another thread with the same problem (currently one blow) "Return traffic for VPN going out over default gw instead of the VPN" (by ferryvanaesch)
current solutions seem to be 1:1 NAT or Dual NAT (Nat from Firewall #1 to #2 to Server)
maybe lets continue there in the other thread and combine our findings.
Logged
mxz
Newbie
Posts: 4
Karma: 0
Re: Public IP range via a tunnel
«
Reply #2 on:
March 06, 2020, 02:34:43 pm »
Hi,
I read that issue but I felt mine might be a little different as the problem is that the traffic coming in over the tunnel is from public IP addresses. Any traffic coming in from internal IP addresses works fine. I've also put a box on LAN2 and it gets a public IP address and the selection of the tunnel gateway as the outbound gateway works perfectly.
So far, my issue only exists for connections originating over the tunnel that has a source of a public IP address. I'm trying to figure out how to make sure that return traffic goes via the interface it came in on, or alternatively let me specify any traffic from my public range uses the tunnel gateway (which will always be true) regardless of direction.
Logged
optic
Newbie
Posts: 21
Karma: 3
Re: Public IP range via a tunnel
«
Reply #3 on:
March 06, 2020, 04:20:30 pm »
oh yes, one thing, if you set a manual route to a specific host (vps provider to test connections from outside), it will work. It is in the end a missing default route for that interface.
Logged
mxz
Newbie
Posts: 4
Karma: 0
Re: Public IP range via a tunnel
«
Reply #4 on:
March 07, 2020, 05:23:23 am »
hmm, I added an "allow everything to everywhere" rule, and then was able to start pinging the devices from the outside. So I deleted that and my previous rules and went back through making the rule more selective each time.
Currently the rule seems to be working fine (tested from a different location in case the firewall had remembered the previous session). Not sure what I did to make it work (or break it the first time round). Seems fine at the moment...
Logged
optic
Newbie
Posts: 21
Karma: 3
Re: Public IP range via a tunnel
«
Reply #5 on:
March 07, 2020, 09:20:34 am »
Did you add any NAT rule? Also would be interested in that Rule you have now that makes it work.
Did you configure Gateways?
Does it still work after reboot? :-)
Logged
optic
Newbie
Posts: 21
Karma: 3
Re: Public IP range via a tunnel
«
Reply #6 on:
March 09, 2020, 10:05:17 am »
i have played around with this again yesterday and did some captures. When pinging from outside i can see the echo requests reaching the opnsense firewall. What i cannot see is any kind of response going on, neither on the GRE or the phys. WAN connection. It seems as if the Firewall just ignores these. Also a HAproxy does not yield any response either (was worth the try)
Logged
mxz
Newbie
Posts: 4
Karma: 0
Re: Public IP range via a tunnel
«
Reply #7 on:
March 12, 2020, 09:21:09 am »
Mine is still working nicely, even after a reboot ( I applied the security upgrade this afternoon ).
From what I can tell, all I had to do was set the default gateway for the interface on the interface itself, and then select that interface as the one to use in the firewall rule.
Logged
optic
Newbie
Posts: 21
Karma: 3
Re: Public IP range via a tunnel
«
Reply #8 on:
March 12, 2020, 02:06:58 pm »
thanks, i will try that!
if by any chance you could share some screenshots, i would much appreciate it!
Edit: Can't get it to work, Traffic only comes in, but doesn't get out ...
«
Last Edit: March 12, 2020, 03:17:14 pm by optic
»
Logged
optic
Newbie
Posts: 21
Karma: 3
Re: Public IP range via a tunnel
«
Reply #9 on:
March 13, 2020, 09:40:28 pm »
Offering 50€ Bounty to a solution where i can tunnel IPv4 (or IPv4 Subnet) via Opnsense and Tunnel (GRE, OpenVPN Wireguard or IPSec) from Location A to Location B (i.e. Datacenter to Home/Company). Solution must include Screenshots and working examples. Bounty can be paid directly as donation to opnsense project or to the one who finds and shares a full solution/tutorial (put too many hours into this and its probably a tiny problem ...)
Logged
optic
Newbie
Posts: 21
Karma: 3
Re: Public IP range via a tunnel
«
Reply #10 on:
March 15, 2020, 11:15:12 am »
so what i got working
:
I can setup a Tunnel over GRE with a Gateway (Upstream). With firewall rules (and outgoing nat) i can set specific LAN Clients to use that GRE Gateway which works fine!
DNAT to internal Target works, even to the Firewalls own Interface IP Adresses!
what does not work
:
I cannot ping the public ipv4 GRE Interface address from the internet. SSH, Webadmin and HAProxy is not useable for the routed IPv4.
it seems the only problem left is the inability for opnsense itself using the GRE Interface IPv4 for its own services.
«
Last Edit: March 15, 2020, 11:56:29 am by optic
»
Logged
optic
Newbie
Posts: 21
Karma: 3
Re: Public IP range via a tunnel
«
Reply #11 on:
March 15, 2020, 05:15:34 pm »
problem seems to be the same as this:
https://github.com/opnsense/core/issues/3783
Logged
optic
Newbie
Posts: 21
Karma: 3
Re: Public IP range via a tunnel
«
Reply #12 on:
March 15, 2020, 08:11:30 pm »
so one thing i found out;
if you set virtual IPs to the GRE and set the gateway as the Remote's Endpoints IPv4 Adress (in my case WAN of a mikrotik router worked), you can use the Virtual IPs for TCP, ICMP does not seem to work (working on that next)
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Public IP range via a tunnel