Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
locally generated traffic not flowing into IPsec site-to-site tunnel
« previous
next »
Print
Pages: [
1
]
Author
Topic: locally generated traffic not flowing into IPsec site-to-site tunnel (Read 5647 times)
skyflash
Newbie
Posts: 3
Karma: 0
locally generated traffic not flowing into IPsec site-to-site tunnel
«
on:
January 12, 2021, 11:45:14 am »
Dear Forum,
New OPNsense user because I'm fed up with my EdgeRouter. So far, I'm mightily impressed. Most of my advanced stuff I was able to figure out myself, thanks to this forum and other pages on the net. But now I've hit a wall.
My setup:
Two sites. One with the OPNsense 20.7 (10.0.10.0/24), one still on an EdgeRouter (10.0.0.0/24).
IPsec site-to-site between the two so each LAN can access stuff on the other LAN.
Outgoing NAT via a fixed IP.
This works like a charm. What does not work is accessing stuff from the OPNsense on the other LAN via IPsec. So locally sourced traffic somehow does not find its way into the tunnel. I work around this on the console for example by setting --bind-address with fetch, for example
fetch --bind-address 10.0.10.1
http://10.0.0.20/files/blacklist.txt
But when I try to setup an URL Table Alias with a blacklist created on a central host, of course this fails because I cannot set an outgoing interface in the webinterface. I want to do this primarily so I don't have to install and maintain the toolchain to create the blacklist on the firewalls, and because importing a local file into the URL table Alias is also not trivial.
And I want to solve/understand the locally sourced traffic problem for good so I can also use the knowledge for other tools/cases.
For illustration, I did two fetches on the CLI, one with and one without the bind-address. As you can see in the first screenshot, the fetch without the bind goes out the Internet Interface (as it should according to the routing table) but does not get stuffed into the tunnel. The request with the bind-address goes over the IPsec interface.
This led me to the idea with an outgoing NAT. I set one up on the Internet WAN interface, told it to NAT 'This Firewall' sourced traffic with a destination of 10.0.0.0/24 and NAT it to the LAN address, see screenshot 2.
Lo and behold, the NAT worked (shot 3), but it does not go into the IPsec tunnel, but straight out to the Internet, as it seems. And there the packet dies a horrific death, I'd presume.
And now, my OPN-fu leaves me. Perhaps some kind soul can point me in the right direction to solve this. If you need anything else from settings or any table or log, I'll provide that gladly. And if a slap on the head helps to see a fundamental error in my thinking, please dispense that in ample portions
And if I'm not in the right sub-forum, please move my entry.
Thank you very much for your help
Simon
PS: 256k attachments in total is a VERY low bar...
Logged
Rolfieo
Newbie
Posts: 10
Karma: 0
Re: locally generated traffic not flowing into IPsec site-to-site tunnel
«
Reply #1 on:
January 16, 2021, 03:53:02 pm »
You could try to create a routed IPSEC Tunnel. I think this solved the issue.
Other solution is to create a static route for the IP Range and set the gateway to the LAN interface (or an other one).
Logged
skyflash
Newbie
Posts: 3
Karma: 0
Re: locally generated traffic not flowing into IPsec site-to-site tunnel
«
Reply #2 on:
January 18, 2021, 01:45:58 pm »
I'd rather first get it working with the tunnel, as I want to learn the platform.
hmmm I think I did what you told me, see the enclosed screenshots.
1. I added a Gateway, so I can choose that in the routes menu
2. added the route as suggested
3. traffic is blocked... maybe I need a firewall rule?
4. Added the rule on the IPsec interface (as this is what's said on the blocked screen in step 3)
but still, getting blocked. I am very sure that I have a knot in my head somewhere, but I don't know which part of this firewall I have not yet understood.
Logged
miken32
Newbie
Posts: 12
Karma: 1
Re: locally generated traffic not flowing into IPsec site-to-site tunnel
«
Reply #3 on:
March 18, 2021, 08:38:26 pm »
Curious if you were ever able to get this working? I'm in the same boat. I need to run a local BIND server on the OPNsense box, and it needs to talk to primary DNS on the other side of the tunnel.
The trick of adding a gateway and static route pointing to it has always worked for me on pfSense. I thought I remembered having to enable `net.inet.ip.redirect` in tunables as well, but that doesn't seem to change anything.
«
Last Edit: March 18, 2021, 10:01:10 pm by miken32
»
Logged
miken32
Newbie
Posts: 12
Karma: 1
Re: locally generated traffic not flowing into IPsec site-to-site tunnel
«
Reply #4 on:
March 19, 2021, 04:19:40 pm »
Ok figured it out and got it working. Under advanced firewall settings, there's a checkbox labelled "Disable automatic rules which force local services to use the assigned interface gateway." Uncheck it and the OPNsense box can reach things on the other side of the tunnel.
Logged
skyflash
Newbie
Posts: 3
Karma: 0
Re: locally generated traffic not flowing into IPsec site-to-site tunnel
«
Reply #5 on:
January 28, 2022, 09:43:12 am »
I already had that disabled. Not working.
Yesterday I had an epiphany.
I added another phase2 for the openVPN IP range. Then on the far Firewall a rule for that range in the IPsec and LAN Rulesets. And presto, it works.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
locally generated traffic not flowing into IPsec site-to-site tunnel