more confusion about VPN routing

Started by woo, November 04, 2016, 10:48:14 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 04, 2016, 10:48:14 AM
Hi again,
I've stumbled upon some other confusing issue with my OPNsense-as-VPN-concentrator project...
for some reason, there seems to have been a change in routing behaviour recently that I can't find the reason for.
When I started with the setup, I saw all connections from dialled-in users as coming from their virtual IP addresses (configured via ifconfig-push in the CSCs), and I set up the firewall rules accordingly (users' VPN IP allow RDP to their workstation IP). For some reason, recently I only see connections in the log seeming to originate from the OPNsense LAN IP, even though they clearly are initiated by VPN-connected users.
I don't recall changing anything to the setup except adding more users..
Can anyone provide a hint on what could cause this behaviour? It kinda messes up my whole security concept..
November 04, 2016, 06:16:00 PM #1
If a VPN user has a source IP from the firewall, then the firewall is applying NAT

Bart...
November 07, 2016, 09:45:16 AM #2
I was just going to post "But I didn't create any NAT rules recently!" - but then I went to double-check.. and it seems that OPNsense auto-created a set of NAT rules when I set up an IPSEC Mobile service last week to test something, and did not remove them when I deleted that IPSEC service again.
Even weirder - I can't seem to get rid of those rules without switching to full-manual mode, which I would actually like to avoid.
The rules don't even make sense to me.. "Auto created rule for ISAKMP - OpenVPN server -> LAN" - when did OpenVPN start to use ISAKMP?!
There's something going wrong here with the automatic rule creation...
Print
Go Up Pages1
User actions