Traffic between interfaces

Started by jennifer.cruize98, July 17, 2023, 01:58:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 17, 2023, 01:58:22 PM
My network is as follows:

OpenVPN network OPT1 (10.8.0.1) <--> (10.8.0.2) OpnSense <--> (192.168.2.254) LAN Network

I'm trying to ping/access the 192.168.2.0/24 network from the linux machine on 10.8.0.1. I can ping 10.8.0.2 and 192.168.1.1 (WAN GW) but I can't seem to figure out how to reach the other.

I tried doing a outbound NAT to force anything on 10.8 not going to 10.8 to go to 192.168 by firewall and by GW but no luck.

July 17, 2023, 02:59:51 PM #1
No need for NAT internally. Do you have a (floating) rule to allow ICMP?

Check for denies in your firewall log - Firewall: Log Files: Live View, filter on source == 10.8.0.1

Bart...
July 17, 2023, 03:05:06 PM #2
I created a floating rule to allow ping from any protocol to and from any interface and removed all that NAT rules ect...

Started a ping and I see the successful to 10.8.0.2 logged but I don't see the deny to 192.168.2.254 which confuses me.
July 17, 2023, 03:18:57 PM #3
Do both endpoints have OPNsense as their DG? If not, you'll need to add a static route on 192.168.2.254 for the return traffic
July 17, 2023, 03:33:30 PM #4
By endpoints we mean the Linux Server and OpnSense firewall?


In regards of adding a route, is the following correct way if needed?

I had to manually create the LAN GW since it wasn't auto created.

Thanks bart!
July 17, 2023, 08:38:09 PM #5
Quote from: jennifer.cruize98 on July 17, 2023, 03:33:30 PM
By endpoints we mean the Linux Server and OpnSense firewall?

Endpoints would be a host on 192.168.2.0/24 and 10.8.0.2

Try some packet traces to see if you can see the packet going out and the reply going back.

Interfaces: Diagnostics: Packet Capture

What is the routing table on 10.8.0.2 like? Does it have an entry for 192.168.2.0/24 via 10.8.0.1 in there?

ip ro sh on most Linux OS.

Bart...
July 18, 2023, 01:52:04 PM #6
192.168.2.0/24 can ping 10.8.0.1 and 10.8.0.2

Looking at the packet capture, I don't see the 192.168.2.0/24 network being mentioned so my guess is the traffic is never leaving the Linux machine running on 10.8.0.1 which is the OpenVPN network.

On the Linux machine I have:
Code Select
ip ro sh
default dev venet0 scope link
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
public_IP/24 dev venet0 proto kernel scope link src public_IP

So this means I need to have a static route added on OpnSense, correct?

July 18, 2023, 09:17:43 PM #7
You need a static route for 192.168.2.0/24 via 10.8.0.1 on the Linux machine for the packets to enter the tunnel. Otherwise they will go out via its default gateway.

You can confirm with tcpdump -w on the Linux machine. Analyse the file in Wireshark - https://www.wireshark.org/
July 19, 2023, 02:24:28 PM #8
Got it. So something like this?

Code Select
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 venet0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
45.88.168.0     0.0.0.0         255.255.255.0   U     0      0        0 venet0
192.168.2.0     10.8.0.1        255.255.255.0   UG    0      0        0 tun0

I ran a ping in one window and then ran the following

Code Select
tcpdump icmp and src 10.8.0.1 and dst 192.168.2.254
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Not sure if I'm going about this the right way.
July 19, 2023, 02:31:47 PM #9
Try to add "-n" and "-i <interface>" to the tcpdump command.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions