Cannot reach VPN subnet from LAN

[guest27848]

Greetings,

I am new to OpnSense, facing a problem that seems to be unsolvable for me and hope that someone here can kindly help me out. To test the functionality/suitability of OpnSense, I'm currently running it in a virtual machine and for simplicity currently using only a single network interface. In the future productive operation this will surely differ. I hope I can describe the problem sufficiently.

Requirements (reduced to describe issue):

• OpnSense is used as a gateway/router as well as a firewall within the local network.
• OpnSense connects to an external network via L2TP over IPsec (as mobile client to a watchguard).
• OpnSense allows to access the one or more defined subnets in die external network (VPN) from within the local network (LAN).
• OpnSense prevents access from the external network (VPN) to the local network (LAN).

Actual state:

• LAN interface (lan, vtnet0), subnet 192.168.178.0/24, Gateway: 192.168.178.1
• WAN interface (wan, vtnet1), no carrier, down
• VPN/IPsec (type: IPv4 IKE, remote host: 12.34.56.78, local subnets: 192.168.178.66/32, remote subnets: 12.34.56.78/32), State: installed & routed
• Point-to-Point (type: l2tp, link interface: LAN, local ip: none, gateway: 12.34.56.78), Status: up, Interface: l2tp0
• Interface "ext" (assigned device: l2tp0)
• Gateway "EXT_L2TP" (gateway: 10.0.50.101)
• Route (network: 10.0.23.0/24, gateway: EXT_L2TP - 10.0.50.101)

Interim status:

• ICMP echo requests into the external network (to 10.0.23.141) works fine on the local console (bash) of OpnSense.

Issue:

• ICMP echo requests from the local network (LAN, 192.168.178.2) into the external network (VPN, 10.0.23.141) don't receive a response ("Request timed out").
• Remote Desktop connection to 10.0.23.141:3389 also fail.

Diagnosis / tests so far:
- Added NAT outbound rule (interface: ext, source: "LAN net", destination: "10.0.23.0/24", NAT address: interface address).
- Log Files/Live View: Shows successful (passed) entry (interface: ext, source: 10.0.50.174:29768, destination: 10.0.23.141:3389, proto: tcp, label: "let out anything from firewall host itself (force gw)") when trying to connect from LAN
- Diagnostics/pfInfo/Nat: Show successfully established connection (no blocked or rejected entries)

Code: [Select]

@1 nat log on l2tp0 inet from (vtnet0:network:1) to 10.0.23.0/24 -> (l2tp0:0) port 1024:65535
  [ Evaluations: 235       Packets: 13        Bytes: 664         States: 2     ]
  [ Inserted: uid 0 pid 79222 State Creations: 2     ]
- Interfaces/Diagnostics/Packet Capture (interface "ext") shows that the packages were successfully routed over the VPN, and also seem receive a response, but for some reason those responses don't get routed back to the client (192.168.178.2) within the local network (LAN):

Code: [Select]

No. Time      Source       Destination  Proto.  Len  Info
1   0.000000  10.0.50.161  10.0.23.141  ICMP    64   Echo (ping) request  id=0x1118, seq=686/44546, ttl=127 (reply in 2)
2   0.015610  10.0.23.141  10.0.50.161  ICMP    64   Echo (ping) reply    id=0x1118, seq=686/44546, ttl=127 (request in 1)
3   0.077754  10.0.50.161  10.0.23.141  TCP     56   46777 → 3389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
4   0.093838  10.0.23.141  10.0.50.161  TCP     56   3389 → 46777 [SYN, ACK] Seq=0 Ack=1 Win=64000 Len=0 MSS=1360 WS=1 SACK_PERM=1
5   1.106391  10.0.23.141  10.0.50.161  TCP     56   [TCP Retransmission] 3389 → 46777 [SYN, ACK] Seq=0 Ack=1 Win=64000 Len=0 MSS=1360 WS=1 SACK_PERM=1
6   3.120018  10.0.23.141  10.0.50.161  TCP     56   [TCP Retransmission] 3389 → 46777 [SYN, ACK] Seq=0 Ack=1 Win=64000 Len=0 MSS=1360 WS=1 SACK_PERM=1
7   3.401663  10.0.50.161  10.0.23.141  TCP     56   24492 → 3389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
8   3.417707  10.0.23.141  10.0.50.161  TCP     56   3389 → 24492 [SYN, ACK] Seq=0 Ack=1 Win=64000 Len=0 MSS=1360 WS=1 SACK_PERM=1
9   4.430111  10.0.23.141  10.0.50.161  TCP     56   [TCP Retransmission] 3389 → 24492 [SYN, ACK] Seq=0 Ack=1 Win=64000 Len=0 MSS=1360 WS=1 SACK_PERM=1
10  5.001119  10.0.50.161  10.0.23.141  ICMP    64   Echo (ping) request  id=0x1118, seq=687/44802, ttl=127 (reply in 11)
11  5.017070  10.0.23.141  10.0.50.161  ICMP    64   Echo (ping) reply    id=0x1118, seq=687/44802, ttl=127 (request in 10)
12  6.402551  10.0.50.161  10.0.23.141  TCP     56   [TCP Retransmission] 24492 → 3389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
13  6.441014  10.0.23.141  10.0.50.161  TCP     56   [TCP Retransmission] 3389 → 24492 [SYN, ACK] Seq=0 Ack=1 Win=64000 Len=0 MSS=1360 WS=1 SACK_PERM=1
14  7.125663  10.0.23.141  10.0.50.161  TCP     56   [TCP Retransmission] 3389 → 46777 [SYN, ACK] Seq=0 Ack=1 Win=64000 Len=0 MSS=1360 WS=1 SACK_PERM=1
- Instead of routing the external subnet 10.0.23.0/24 from my local computer (192.168.178.2) only, I set OpenSense as the default gateway: Didn't change a thing, though I was still able to access the internet (tested by simply browsing within a web browser) itself.
- Disabling the firewall functionality of OpenSense also didn't affect the issue.

I hope someone here can help me out. I'm assuming I'm just missing some little thing; at least I hope so. If more information is required, feel free to ask.

Thank you very much.

[smyers119]

L2TP is a classfull protocol, are you pushing all traffic through the VPN?  if not you need to create a route on the client.

[guest27848]

Thank you for your answer.

No, I explicitly don't want to route all traffic through the VPN.
I only want to route the specific subnets (10.0.23.0/24 in this case) over a secured L2TP connection on the OpnSense. All other traffic should get routed via a defined default gateway to allow clients to access the internet.

According to the following diagram I want to access the internet and "Some Remote Server" from "Some Local PC". The local PC already has a route defined to use the OpnSense (192.168.178.66) as a gateway for 10.0.23.0/24. Currently, the "Some Local PC" uses the OpnSense as a default gateway, which works fine. Also, the ICMP echo requests and TCP connection requests were successfully retrieved (and actually answered) by "Some Remote Server", but those packets never reach back to "Some Local PC".
The VPN itself seems to work just fine - I can access everything from the OpnSense console itself.

Code: [Select]

        WAN / Internet
                :
          .-----+-----.
          |  Gateway  |
          '-----+-----'
                |
            WAN |
                |
          .-----+------.     (L2TP over IPsec)     .----------------.
          |  OPNsense  +-----------(NAT)-----------+ Watchguard VPN |
          '-----+------'     (VPN 10.0.50.0/24)    '--------+-------'
(192.168.178.66)|                                           |
                |                                           |
            LAN | (192.168.178.0/24)                    { Router }
                |                                           |
          .-----+------.                         Remote LAN | (10.0.23.0/24, ...)
          | LAN-Switch |                                    |
          '-----+------'                         .----------+-----------.
                |                                +  Some Remote Server  |
        .-------+-------.                        '----------------------'
        | Some Local PC |                             (10.0.23.141)
        '---------------'
    (192.168.178.2)


[smyers119]

That's because "some remote server" does not know how to route the packet back to "some local pc"

[guest27848]

Yes, probably, I guess. But how to fix it?

1. The VPN works absolutely fine when I establish the "L2TP via IPsec" VPN directly on "Some Local PC".
2. The VPN works absolutely fine when accessing it directly from "OpnSense".
3. The "Some Local PC" successfully can send packages to "Some Remote Server" (NAT traversal seems to work for outgoing packages).
4. The "Some Remote Server" successfully answers back to "OpnSense" (see package capture on the OpnSense) over the VPN, but OpnSense does not route those answers back to "Some Local PC" (NAT traversal seems to fail for incoming responses?).

[smyers119]

When your connecting from opnsense, you are connecting on the same "layer 2" network.

Example:
"some local pc"=1.1.1.2 "
gateway LAN=1.1.1.1, gateway tunnel=2.2.2.1"
"some remote pc"= 2.2.2.2
some remote pc knows how to get to 2.2.2.1 but not 1.1.1.2


I guess you could solve this by Nating traffic going out the l2tp tunnel to the tunnel ip of the router.

[chemlud]

sorry, wrong post, misread your network plan... :-)

[smyers119]

sorry, wrong post, misread your network plan... :-)

LOL I was wondering what that was

[guest27848]

Thank you anyway - my ascii-art network plan might not be very readable; sorry for that.

Since nobody seems to be able to help out, my next try is to install OpnSense on a physical machine in order to check if the surrounding Hyper-V network driver interferes with the routing / nat capabilities. This might take a while since the ordered hardware didn't arrive, yet. I still really hope this problem could be solved, although various topics in this forum lead to the assumption that using OpnSense as a VPN gateway either does not work at all, or at least is not very intuitive. Unfortunately, the documentation for this case seems to be very rare.

I'll get back here as soon as I figure something out. And if someone has a suggestion or a useful documentation, please feel free to send it to me / post it here. I would appreciate it very much.

Thank you.

[smyers119]

Since nobody seems to be able to help out

Did you not read my post where i gave you the solution???  That's a slap in the face....lol

[guest27848]

Wow, I'm very sorry. I got the posts/authors mixed up and somehow interpreted the "sorry, wrong post, misread your network plan... :-)" to refer to the previous entry. 
Please accept my sincere apologies.

Yes, I'm trying to achieve exactly what you wrote. I therefore have already configured an outbound nat rule like that:

Code: [Select]

Interface  Source   Source Port  Destination   Destination Port  NAT Address        NAT Port  Static Port
ext        LAN net  *            10.0.23.0/24  *                 Interface address  *         NO


[guest27848]

I figured out my problem and feel quite stupid. I fell for the old "order matters" issue. The subnet rule for the VPN subnet was configured after the default route and thereby rendering it useless/unused.

I got it all working, and first time in my life with a UI configurable router system. Until now I had to configure all by hand, which got quite a mess after a while...

Thank you for your help. :-)