OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • more confusion about VPN routing
« previous next »
  • Print
Pages: [1]

Author Topic: more confusion about VPN routing  (Read 2821 times)

woo

  • Newbie
  • *
  • Posts: 28
  • Karma: 3
    • View Profile
more confusion about VPN routing
« on: November 04, 2016, 10:48:14 am »
Hi again,
I've stumbled upon some other confusing issue with my OPNsense-as-VPN-concentrator project...
for some reason, there seems to have been a change in routing behaviour recently that I can't find the reason for.
When I started with the setup, I saw all connections from dialled-in users as coming from their virtual IP addresses (configured via ifconfig-push in the CSCs), and I set up the firewall rules accordingly (users' VPN IP allow RDP to their workstation IP). For some reason, recently I only see connections in the log seeming to originate from the OPNsense LAN IP, even though they clearly are initiated by VPN-connected users.
I don't recall changing anything to the setup except adding more users..
Can anyone provide a hint on what could cause this behaviour? It kinda messes up my whole security concept..
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1538
  • Karma: 166
    • View Profile
Re: more confusion about VPN routing
« Reply #1 on: November 04, 2016, 06:16:00 pm »
If a VPN user has a source IP from the firewall, then the firewall is applying NAT

Bart...
Logged

woo

  • Newbie
  • *
  • Posts: 28
  • Karma: 3
    • View Profile
Re: more confusion about VPN routing
« Reply #2 on: November 07, 2016, 09:45:16 am »
I was just going to post "But I didn't create any NAT rules recently!" - but then I went to double-check.. and it seems that OPNsense auto-created a set of NAT rules when I set up an IPSEC Mobile service last week to test something, and did not remove them when I deleted that IPSEC service again.
Even weirder - I can't seem to get rid of those rules without switching to full-manual mode, which I would actually like to avoid.
The rules don't even make sense to me.. "Auto created rule for ISAKMP - OpenVPN server -> LAN" - when did OpenVPN start to use ISAKMP?!
There's something going wrong here with the automatic rule creation...
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • more confusion about VPN routing
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2