Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
Site 2 Site route based (VTI) Netmask Issues
« previous
next »
Print
Pages: [
1
]
Author
Topic: Site 2 Site route based (VTI) Netmask Issues (Read 1986 times)
rrosson
Newbie
Posts: 14
Karma: 0
Site 2 Site route based (VTI) Netmask Issues
«
on:
March 20, 2022, 04:28:20 pm »
In setting up multiple site 2 site route based VTI connections following
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html
I think I discovered a possible bug. Both sides are running OPNsense version 22.1.3.
I had two site 2 site VTI's configured and when adding a third I discovered that the net mask is not consistent.
My Side IP
Other Side IP
Netmask
Description
10.111.1.1
10.111.1.2
30
remote site 1
10.111.1.3
10.111.1.4
29
remote site 2
10.111.1.5
10.111.1.6
30
remote site 3
When I go to add 'remote site 3' it breaks site 2. To work around this I changed the second octet to 112 for site3 on both sides. This brings up the tunnel but the routing is only working to each of the firewalls. Neither side is able to get to the networks that they have routes.
Both sites have unique IP networks on each side and do not clash.
This appears to only reveal itself when doing more than two site 2 site route based IPsec VPN.
Any ideas?
TIA
-Ron
Logged
franco
Administrator
Hero Member
Posts: 17653
Karma: 1610
Re: Site 2 Site route based (VTI) Netmask Issues
«
Reply #1 on:
March 21, 2022, 07:49:13 am »
Hi Ron,
Your /29 subnet overlaps with both /30, easy to check with
https://jodies.de/ipcalc
Cheers,
Franco
Logged
rrosson
Newbie
Posts: 14
Karma: 0
Re: Site 2 Site route based (VTI) Netmask Issues
«
Reply #2 on:
March 21, 2022, 01:58:02 pm »
@Franco I am totally aware but I can not find a way or a place to set the netmask when doing a Site route based (VTI) VPN. I even double checked the docs to make sure I did not miss anything before writing this reply.
TIA,
Ron
Logged
franco
Administrator
Hero Member
Posts: 17653
Karma: 1610
Re: Site 2 Site route based (VTI) Netmask Issues
«
Reply #3 on:
March 21, 2022, 02:02:28 pm »
Hi Ron,
It's calculated from the smallest possible subnet that can hold these IPs:
https://github.com/opnsense/core/commit/9e44d9a1a92
The issue is that the IPs 10.111.1.3 - 10.111.1.4 are not spread out so that they bleed into the other subnets A and C. If you use the following it should work:
10.111.1.9 10.111.1.10 (30) remote site 2
Cheers,
Franco
Logged
rrosson
Newbie
Posts: 14
Karma: 0
Re: Site 2 Site route based (VTI) Netmask Issues
«
Reply #4 on:
March 21, 2022, 02:32:21 pm »
@Franco. I see that but why did the first vpn set a /30 the second vpn set a /29 and when trying to add a third vpn it sets a /30 that conflicts with the second vpn. When doing a VPN like this why would you need something bigger than a /30?
TIA,
Ron
Logged
franco
Administrator
Hero Member
Posts: 17653
Karma: 1610
Re: Site 2 Site route based (VTI) Netmask Issues
«
Reply #5 on:
March 21, 2022, 02:40:42 pm »
Hi Ron,
Because CIDR networks are not "sliding" windows you get slots of subnets to fit in so both 10.111.1.3 and 10.111.1.4 belong to different /30 subnets...
Network: 10.111.1.0/30 00001010.01101111.00000001.000000 00 (Class A)
Broadcast:
10.111.1.3
00001010.01101111.00000001.000000 11
HostMin: 10.111.1.1 00001010.01101111.00000001.000000 01
HostMax: 10.111.1.2 00001010.01101111.00000001.000000 10
Network:
10.111.1.4
/30 00001010.01101111.00000001.000001 00 (Class A)
Broadcast: 10.111.1.7 00001010.01101111.00000001.000001 11
HostMin: 10.111.1.5 00001010.01101111.00000001.000001 01
HostMax: 10.111.1.6 00001010.01101111.00000001.000001 10
Cheers,
Franco
Logged
rrosson
Newbie
Posts: 14
Karma: 0
Re: Site 2 Site route based (VTI) Netmask Issues
«
Reply #6 on:
March 22, 2022, 02:18:12 pm »
Thanks Franco for showing me what I was doing wrong.
Ron
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
Site 2 Site route based (VTI) Netmask Issues