Destination Based Routing

Started by Craash, March 17, 2021, 05:27:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 17, 2021, 05:27:21 PM Last Edit: March 17, 2021, 05:42:26 PM by Craash
I have moved from a pfSense device to OPNsense.  I am about finished configuring the last few items.  I'd appreciate some help with the last one which has eluded me to this point – and worked on pfSense

Important Info:

Interfaces:
   WAN – Primary WAN
   LAN - 172.20.0.0/24
   OPT1 – Secondary Internet Provide - not important to this example
   VPN – OPN VPN Client to VPN anonymizer.

Aliases
        VPNClients – Network Clients which I want fully routed over VPN.  This currently works as intended. 
        This VPN is the same VPN I'll use for VPNDestinations
   VPNDestinations – Locations I want routed over the VPN even though the host isn't a part of VPNCLIENTS and normally uses the WAN.

For example: WS1 uses the WAN for almost everything.  It is NOT part of the VPNClients Alias.  However, I want to route traffic to the "BANK", a member of "VPNDestinations" over the VPN.

It is routing non VPNClients over VPNDestinations that is giving me a headache.  My NAT/Rules are below,

Not Perfect, but a link to google photos.

https://photos.app.goo.gl/BJeqiwSGiZ97RPDz6

March 19, 2021, 05:33:45 PM #1
The last outbound NAT rule (source "any" / destination "VPNDestinations") must be on the VPN interface, not the LAN interface.

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
March 20, 2021, 02:12:07 AM #2
Thanks @Maurice.

I've changed the interface, but no change.  Do you have any other suggestions?  I'm about to pull my hair out over this.
March 20, 2021, 02:32:52 AM #3
Check the log whether the firewall rule actually matches. Maybe there's something wrong with the 'VPNDestinations' alias?
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
March 20, 2021, 02:52:48 AM #4
Ooooh.  I feel like we are getting close.

I wasn't sure about which logs you were interested in, so I did this:
Created a new alias, VDEST, with only two entries.  The FQDN and IP address of a site that lists you IP address (VPN, hopefully, in this case.  I changed the VPNDestinations to VDEST in the NAT and Rule.

After I've done that, NO machines will pull up the site.  they used to, but reported my fiber IP.
The machines that routed EVERYTHING over the VPN can't reach it, either.  Which is new.

DNS will resolve the IP of the site I put in VDEST.

What log or setting can I check?
Print
Go Up Pages1
User actions