Shared forwarding various failures when using it

[Matzke]

As soon as activating "disable force gateway" I sporadically loose Internet Connectivity (I will say I can't connect from clients in LAN to WAN).

As soon as deactivating it, everything works as expected (I tried it with and without shared forwarding enabled).

Therefore I didn't do other tests because basic functionality (Firewall/Routing from LAN to WAN) was lost.

[Matzke]

Hello,
as already written yesterday, unfortunately it still does not work for me. Also, I have not entered any floating rules (see screenshots) that somehow spark in between.

Can anyone still help me? In my opinion, this is still a bug and I find it a pity that the OPNSense team is not investigating the issue more intensively here. As soon as a configuration error turns out, you can refer to the documentation and do not treat the thread further, but to put no further force into it I find very unfortunate.

@Franco: So again my question - what can I contribute to the error diagnosis?

Translated with www.DeepL.com/Translator (free version)

[mimugmail]

What happens when you disable the balancing rule or just allow it. Does Openvpn still have problems with topology?

[Matzke]

Dear Mimugmail,

please tell me, what I should change in this rule?

a) disable this rule -> then I can't go into internet
b) just allow this rule -> I don't understand
c) change the gateway in this rule to * (but then I don't have policy based routing according to franco)

By the way (before changing anything) - when I dialin via openvpn and shared forwarding is enabled I even can't ping the firewall itself. I would assume that a rule on LAN interface shouldn't interfere here?

[mimugmail]

Just remove the Gateway in the rule and tell me if it works. Shared forwarding is enabled by default, if there would be a general problem you wouldnt be the first and only one having such phenomenons

[Matzke]

I just forgot, I have a second OPNSense with only one Gateway and therefor no rule for gateway-switching.

There it is exactly the same. And when I remeber, shared forwarding was turned off in default (but I updated to OPNSense 21 it was no fresh installation).

By the way just to be sure - franco asked me if I have policy based routing. A fresh installation doesn't have a lot firewall rules (only some standard-floating), interface-rules are empty. When shared forwarding is enabled by default and it requires policy based routing it shouldn't work on any installation.

[Matzke]

Just to show - attached the firewall-rules of
a) LAN-Interface (vlan20 internal)
b) OpenVPN-Roadwarrior-Interface

c) Gateway-Tab - no multiple LAN Gateways

This is configuration of a second OPNSense - here also OpenVPN won't work woth topology subnet and shared forwarding turned on.

[Matzke]

... just verified with opnsense21.1-Install-ISO and a test in virtualbox:

- Shared forwarding is enabled by default
- OpenVPN Topology net30 is default (subnet isn't default although net30 is deprecated)

[mimugmail]

Is there a reason why you assign Openvpn as an Interface and add a gateway? Maybe this has strange side effects I'm not aware of

[Matzke]

I just set an interface per OpenVPN Link - the gateway was set automatically. I also don't change something in interface settings - everything is left blank.

Attached you will see my VPN-Interface-Configuration (OPNSense Firewall 1).

I did this because I want to limit traffic from special roadwarriors or VPN-Members via firewall. Without the interface-assignment I was unable to create firewall rules which worked.

I tried to filter in the standard OpenVPN Interface (one interface for all different server/clients/tunnels) but it seems to be the encapsulated traffic at this interface. No rule with IP-Addresses of the VPN-Clients ever worked.

If this is wrong, please tell me how to solve this and I will delete the interface assignments.

[Matzke]

Hello,

how can we best continue here - I am happy to help with tests and protocols.
How can I filter OpenVPN traffic via firewall without creating specific interfaces (as in the post before)?

Another question - all my internal network traffic is VLAN-tagged on one physical interface - can there be a problem here? The second firewall also has VLAN tagging active.

The fact is, the problem still exists and is also clearly on the two things:
openvpn topology subnet + shared forwarding on.

Furthermore, it is unfortunately not yet clarified why I sporadically lose the connection to the Internet with the multi-WAN firewall rule and it also comes back and disappears again (alternating) without any changes? This also occurs exclusively when shared forwarding is enabled.

[Matzke]

Dear mimugmail,

I did a first try:

- deleted all OpenVPN Firewall rules
- deleted Interface assignment of OpenVPN tunnels (so I have now only one OpenVPN tab in Firewall
- restarted OpnSense
- turned on shared forwarding (OpenVPN topology subnet is already turned on)

I am very surprised, but OpenVPN now seems to work in this constellation.

I will continue to monitor it and get back to you later. But if this is really the case, then a note in the documentation would be very important not to assign OpenVPN interfaces. Maybe this should even be blocked or not offered in the web interface?

I will also observe whether the sporadic Internet outages are now gone and I will have a try with new Firewall-Rules in OpenVPN tab.

[mimugmail]

OK,good progress!

[Matzke]

Dear Mimugmail,

I have been observing the behavior for some time now and can report the following (and would like to split the topic a bit, although it all has to do with shared-forwarding)

- after deleting the interface assignment of OpenVPN the topology subnet works like a charm

so here my first question
a) is this a bug, that assigned interface + shared forwarding + topology subnet won't work
b) I opened a separate thread but got no sufficient answer - when should I assign an interface to OpenVPN and when not (for example when using an NordVPN tunnel and I have to route specific traffic through it (guest network) I had to assign an interface for this OpenVPN instance.

- I still have some hickup with my internet-traffic. As soon as I use gateway-group and shared forwarding I have internet-dropouts (some seconds or minutes). After modifying firewall rule to use the default gateway instead of gateway-group it works like a charme, but it doesn't use my second gateway :-)

So I think, there is still a bug with shared forwarding and gateway group.

Please let me know, how I can assist the investigation

[Matzke]

Hi Mimugmail,

do you have an answer for my still existing problems or how can I assist in solving the problems?

Thanks a lot