locally generated traffic not flowing into IPsec site-to-site tunnel

Started by skyflash, January 12, 2021, 11:45:14 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 12, 2021, 11:45:14 AM
Dear Forum,

New OPNsense user because I'm fed up with my EdgeRouter. So far, I'm mightily impressed. Most of my advanced stuff I was able to figure out myself, thanks to this forum and other pages on the net. But now I've hit a wall.

My setup:

Two sites. One with the OPNsense 20.7 (10.0.10.0/24), one still on an EdgeRouter (10.0.0.0/24).
IPsec site-to-site between the two so each LAN can access stuff on the other LAN.
Outgoing NAT via a fixed IP.

This works like a charm. What does not work is accessing stuff from the OPNsense on the other LAN via IPsec. So locally sourced traffic somehow does not find its way into the tunnel. I work around this on the console for example by setting --bind-address with fetch, for example
fetch --bind-address 10.0.10.1 http://10.0.0.20/files/blacklist.txt

But when I try to setup an URL Table Alias with a blacklist created on a central host, of course this fails because I cannot set an outgoing interface in the webinterface. I want to do this primarily so I don't have to install and maintain the toolchain to create the blacklist on the firewalls, and because importing a local file into the URL table Alias is also not trivial.
And I want to solve/understand the locally sourced traffic problem for good so I can also use the knowledge for other tools/cases.

For illustration, I did two fetches on the CLI, one with and one without the bind-address. As you can see in the first screenshot, the fetch without the bind goes out the Internet Interface (as it should according to the routing table) but does not get stuffed into the tunnel. The request with the bind-address goes over the IPsec interface.

This led me to the idea with an outgoing NAT. I set one up on the Internet WAN interface, told it to NAT 'This Firewall' sourced traffic with a destination of 10.0.0.0/24 and NAT it to the LAN address, see screenshot 2.

Lo and behold, the NAT worked (shot 3), but it does not go into the IPsec tunnel, but straight out to the Internet, as it seems. And there the packet dies a horrific death, I'd presume.

And now, my OPN-fu leaves me. Perhaps some kind soul can point me in the right direction to solve this. If you need anything else from settings or any table or log, I'll provide that gladly. And if a slap on the head helps to see a fundamental error in my thinking, please dispense that in ample portions ;) And if I'm not in the right sub-forum, please move my entry.

Thank you very much for your help
Simon

PS: 256k attachments in total is a VERY low bar...
January 16, 2021, 03:53:02 PM #1
You could try to create a routed IPSEC Tunnel. I think this solved the issue.

Other solution is to create a static route for the IP Range and set the gateway to the LAN interface (or an other one).


January 18, 2021, 01:45:58 PM #2
I'd rather first get it working with the tunnel, as I want to learn the platform.

hmmm I think I did what you told me, see the enclosed screenshots.

1. I added a Gateway, so I can choose that in the routes menu
2. added the route as suggested
3. traffic is blocked... maybe I need a firewall rule?
4. Added the rule on the IPsec interface (as this is what's said on the blocked screen in step 3)

but still, getting blocked. I am very sure that I have a knot in my head somewhere, but I don't know which part of this firewall I have not yet understood.
March 18, 2021, 08:38:26 PM #3 Last Edit: March 18, 2021, 10:01:10 PM by miken32
Curious if you were ever able to get this working? I'm in the same boat. I need to run a local BIND server on the OPNsense box, and it needs to talk to primary DNS on the other side of the tunnel.

The trick of adding a gateway and static route pointing to it has always worked for me on pfSense. I thought I remembered having to enable `net.inet.ip.redirect` in tunables as well, but that doesn't seem to change anything.

March 19, 2021, 04:19:40 PM #4
Ok figured it out and got it working. Under advanced firewall settings, there's a checkbox labelled "Disable automatic rules which force local services to use the assigned interface gateway." Uncheck it and the OPNsense box can reach things on the other side of the tunnel.
January 28, 2022, 09:43:12 AM #5
I already had that disabled. Not working.

Yesterday I had an epiphany.

I added another phase2 for the openVPN IP range. Then on the far Firewall a rule for that range in the IPsec and LAN Rulesets. And presto, it works.
March 26, 2025, 04:06:17 PM #6
Quote from: miken32 on March 19, 2021, 04:19:40 PMOk figured it out and got it working. Under advanced firewall settings, there's a checkbox labelled "Disable automatic rules which force local services to use the assigned interface gateway." Uncheck it and the OPNsense box can reach things on the other side of the tunnel.

I have faced the same issue after migrating from Legacy IPSEC tunnel to IPSEC Connections.
This setting solved the issue.
Print
Go Up Pages1
User actions