Policy routing not working on replies (works on host initiated trafic)

[ybizeul]

Another thread for that same issue https://forum.netgate.com/topic/146704/policy-routing-via-openvpn-uplink/3?_=1607793462725

Basically, "reply-to" that make traffic go back the interface it came in does not work for virtual interfaces and it's a known OpenBSD problem. It will always go back default route.

[mimugmail]

Maybe we can add a Nat option via ipfw?

[ybizeul]

What NAT would that be you think ?

I understand one of the solution that is often explained is to NAT on the other side, so the tunnel address is put in place of the actual source IP but that's not something I'm wanting to do becaause the service would then only see one IP address for all the users instead of actual clients, in this case, that's a mail server so it is important to have the actual client IP for anti spam.

[mimugmail]

Then you have to get rid of assigning OpenVPN interfaces?

[ybizeul]

If you're talking about assigning interface per VPN configuration (client or server) then no, it doesn't seem to be related. I have the same issue whether or not I use that.

In the final config with a dedicated OPNsense server I keep using it.

[mimugmail]

Them you have a faulty setup. Maybe screenshots would help

[ybizeul]

So the posts I found are inaccurate you think ?

Especially the one saying :

This happens because pfsense is also not working option "reply-to" for virtual interfaces (e.g., openvpn,vti ...)
The traffic that came through the virtual tunnel will never return through the same gateway back.
The solution to this problem is to use outbound NAT for this traffic on the other end of the tunnel

[mimugmail]

The Link you quoted is only for Port forwards inside VPN. What you have is OPNsense as OpenVPN Client and OpenVPN server outside using as Site 2 Site. This is a common setup and works in both directions when correctly configured

[ybizeul]

I don't think my configuration is that common, and they do port forward like I do SNAT, exactly the same thing in the end.

The point is Site B of the VPN gets connections from internet through the tunnel, and replies *must* go through the same path, if it goes back Site B's internet it won't do.

FreeBSD has apparently that limitation that reply-to for virtual interfaces (VPNs) isn't functional so unless there is a route that send the packets through the VPN, it doesn't seem to be possible to achieve. And I cannot setup such route because the reply to address is any kind of public IP : it has to be the default route which means a dedicated OPNsense has to be setup.

This user has another shot at it :

Code Select Expand


[Internet] ----(WAN)---- [Firewall DC1]
                      |
                      |
                 (IPSEC VTI)
                      |                       
                      |
[Internet] ----(WAN)---- [Firewall DC2]
                               |
                               |
                       (Transit Network)
                               |
                               |
                         [Internal LAN]   -------  [Web Servers]

Hi
This is a known PF problem, and it has been discussed here many times. Via virtual interfaces (VTI, GRE,OpenVPn,...) the function "Reply-to" does not work. Therefore, all external traffic will ALWAYS return through the default gateway DC2 (WAN interface DC2). To solve this problem you need to:
Use NAT Outbound on the interface VTI DC1 for all external traffic that is forwarded for the WEB server (DC2 side)
or change the default gateway to VTI DC1 (DC2 side)

I'm sorry if it looks my I'm trying to be the smart a**, I'm not, but I'm pretty confident now and that would be a lot of my time to recreate the configuration and it's just not worth it !