IPsec traffic through Webproxy

Started by Lochkartenknipser, September 18, 2023, 03:04:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 18, 2023, 03:04:41 PM
Hello everyone,
I have to contact the professionals now.
I've been testing OPNsense for a few weeks in order to replace a UTM later. In terms of routers, I come from the Lancom corner.
I have an OPNsense installed in the Hetzner Cloud with a public v4 address and a Windows machine behind it for testing. The OPNsense successfully runs Croudsec, GeoIP blocking, ntopng, transparent proxy http and https, ClamAV in the web proxy as well as blacklists and MIMEtypes. Windows updates are not routed via the web proxy because of the certificates, unbound DNS with blacklists and Zenarmor. Until then, everything works as it should on the Windows machine behind the OPNsense in the local network in the Hetzner Cloud.

I have now set up IPsec on the OPNsense so that I can connect my network at home to the Hetzner Cloud. At my house I have a Lancom as the end point of the IPSec tunnel. I can also access the OPNsense and the Windows machine in the cloud through the IPSec tunnel. Everything works as it should.
The next step is to route the internet traffic from home through the IPSec tunnel and use the OPNsense in the Hetznercloud as a main Firewall. This also works perfectly. As a DNS at home I am currently using the UnboundDNS from OPNsense with the blocking lists.
Then I tried to route the internet traffic through Zenarmor as well. This doesn't work because of the netmap module that Zenarmor uses. Then I tried to route the internet traffic through the transparent web proxy so that the traffic is virus checked and the MIME types take effect. But this is exactly where my problem begins. I have set up the NAT from the IPSec network at home on the OPNsense, but I can only select LAN and loopback as proxy interfaces in the web proxy. Then I created a virtual adapter in IPSec, but it is not shown as a possible proxy interface.
I don't see any traffic from my home network in the log from the web proxy. I see the traffic from the home network in the Firewall-log as nat traffic.
How can I ensure that the IPSec traffic also goes through the transparent proxy?

I would be very grateful for your help so that my test project can continue.

Best regards.
October 15, 2023, 05:57:26 PM #1 Last Edit: October 15, 2023, 08:10:05 PM by Monviech
I'm posting this here for anybody who tries to use a port forwarding rule after traffic went into the IPsec enc0 interface. It won't work. The return traffic won't go back into the enc0 interface.

https://freebsd-net.freebsd.narkive.com/RiJhgUnH/pf-rdr-statement-ipsec-processing-interaction

It's a long standing issue with no solution.

Using enc0 and forwarding (rdr) traffic to a loopback (or any other) interface IP adress (where squid listens) will simply fail to work.
The problem arises from the order of operations between IPsec processing and pf packet redirection.

- Opnsense has nothing to do with this not working, its upstream.
Hardware:
DEC740
Print
Go Up Pages1
User actions