Shared forwarding various failures when using it

[Matzke]

Dear All,

I have a big problem with shared forwarding (firewall settings).

First of all, I have a multi-WAN (2 WANs) szenario.

I wanted to use Traffic Shaper - in order to work properly, I have to activate shared forwarding.

As soon as I activate shared forwarding, the following problems occur:
- OpenVPN with topology subnet won't work anymore - no connection to OPNSense.
- when using the deprecated topology net30 OpenVPN works again
- sporadically (every 1-5 Minutes) my internal Clients loose connection to the internet. When waiting some minutes, the connection is back again.

--> as soon as deactivating shared forwarding, the problems above disappear (only Traffic Shaper won't work as expected)

On a second OPNSense I checked this behavior (momentarily only single-WAN):
- OpenVPN with topology subnet won't work with shared forwarding
- I could not realize connection-aborts at Clients of the second OPNSense while shared forwarding was turned on, so I expect a Problem with more than one Gateway (MultiWAN) --> but I have to say, that behind this OPNSense are only 2 Clients at the moment (far few than behind OPNSense 1 with multi-gateways)

[franco]

So shared forwarding allows you to use policy-based routing with captive portal or traffic shaper. It means you have policy-based routing firewall rules...

> On a second OPNSense I checked this behavior (momentarily only single-WAN):
> - OpenVPN with topology subnet won't work with shared forwarding

This really can't be a general issue so I would advise to review your policy-based routing firewall rules that seem to break this in the first place.


Cheers,
Franco

[Matzke]

Hello,
please explain this to me in a little more detail.

On OPNSense 1 I have some default firewall rules that should control the behavior. The last rule in the list then chooses a gateway group. This should fit exactly to the tutorial where exactly this scenario is covered (policy-based for internet, normal rules for local traffic).

So yes, on OPNSense 1 I use policy-based routing in a firewall rule to modify internet traffic. All local rules are not policy based.

This way I have the problem with OpenVPN as well as sporadically losing my clients internet connection.




On OPNSense 2 I have no policy based routing (or the gateway is set to default), here I only have problems with OpenVPN.


By the way - everything works fine without shared forwarding except Traffic Shaper

Can I provide any more information?

Translated with www.DeepL.com/Translator (free version)

[Matzke]

Can somebody help me?

In my oppinion it's a bug.

[franco]

First and foremost make sure to configure OpenVPN correctly on a default install with shared forwarding enabled. There are no problems with it I can assure you.

You probably have a bad firewall rule interfering with our setup.


Cheers,
Franco

[Matzke]

Can I send you a backup of my configuration or some screenshots of OpenVPN as well as Firewall rules?

I don't know where I should look for an config-error because the system works great (without shared forwarding) and I don't know where I should make changes.

[franco]

You can append screenshots here for the community to take a closer look.

I'll just repeat one more time: if shared forwarding is the issue make sure you do not have any outgoing rules (floating or otherwise) that would block your traffic on the way out. When you disable shared forwarding these rules have no effect so it seems to be working. You can even use the firewall live log to search for dropped traffic that way given that you enable rule logging.

Finding the dropped traffic should be easy enough.


Cheers,
Franco

[Matzke]

I'll post the screenshots today in the afternoon.

Just one short question in Advance - the last rule on every interface is a block all rule. Every traffic which is allowed to pass firewall is explicitly allowed in rules above.

Now the question is - is this rule the problem or does this rule exclude the problem, since it ensures that a allow rule must be present, otherwise it would not work even without shared forwarding?

Thanks and many greetings

[Matzke]

and on the other hand - why do I have sporadically no connection to the internet with my LAN devices (when shared forwarding is turned on)

without changing the configuration this is alternating, I just have to wait some time.

Completely unrelated to the problem with OpenVPN.

(and if it is a configuration problem of the firewall, why does it work with deprecated OpenVPN topology net30 but not with topology subnet)?

[franco]

You do not need explicit block rules since the system already has these. The only exception is probably when you want to selectively log block information.

As for your apparent problems this is impossible to find out without enough information about your configuration and it probably escapes my available time for community support.


Cheers,
Franco

[Matzke]

Attached you will find some Screenshots of my configuration.

Interesting ist OpenVPN_Roadwarrior_KS28 which is the Roadwarrior's interface and for example V30_intern which is my internal LAN. I skipped the other VLANs because they are not involved - if needed, I could Screenshot them too.

I can understand that it is hard and time consuming to support community members free of charge, but when I need help, most times there is really a bug in the software which I can help to solve with my logs and details or there is a problem in the documentation and I made a misconfiguration because of lacking docs.

Normally I am an experienced IT professional who does not need any help. So beginner's mistakes are not really to be expected - unless the docs didn't give it.

This is also "only" my private firewall at home - from the configuration you should see that it is not a forest and meadows (no idea how this phrase is called in English) configuration of a hobby IT professional. Unfortunately, however, a paid OPNSense for private is not affordable, so I fall back on the forum, which certainly helps many others with similar problems.

[Matzke]

second part

Filesize-restriction is very hard

[Matzke]

... can nobody help or even give me a hint ...

Are my firewall settings and rules okay?

[mimugmail]

Firewall : Settings : Advanced : Disable Force Gateway

This should ticked. Also, try disabling sticky for testing (only regarding the client timeout problem).

[Matzke]

thanks,

I'll try and report what happened.