Trying to route traffic for one device to other site

Eduardox · January 10, 2025, 09:42:12 PM

Site A: 10.10.0.0/16, gateway=10.10.0.254
Site B: 10.20.0.0/16, gateway=10.20.0.254

I have an IPsec tunnel setup between two sites that is working well. Both sites can go online via their own Internet connection, and I can reach all devices from both sites.

Now for one device (10.10.0.100) on site A I would like to route the traffic over de IPsec tunnel and go to the Internet via site B.

I added these lines:

Site A: System/Gateways/Configuration: name=OPNsenseB, int=WAN,gateway=10.20.0.254
Site A: Firewall/rules/LAN: source=10.10.0.100, prt+dest+dest port=*, gateway=10.20.0.254 (as the first line)
Site B: Firewall/NAT/Outbound: interface=WAN, source=10.10.0.100/32, source+dest+dest port=*

However, this does not work. Traffic from 10.10.0.100 still goes outside via site A's WAN (!) If I change the firewall rule for 10.10.0.100 to block instead of pass then 10.10.0.100 has no connectivity anymore - so that line is really used.

What am I doing wrong? Thanks!

dseven · January 12, 2025, 10:10:02 AM

I've not tried this, but I'd think...

The interface for your OPNsenseB gateway should be your VPN, not WAN.

Also you do not want to do outbound NAT at site A for this - you'd have to do it at site B to use the correct internet-routable address (belonging to site B). You'll need to configure outbound NAT at site B to cover 10.10.0.0/16 (or at least 10.10.0.100/32) too.

Seimus · January 12, 2025, 11:39:59 AM

QuoteSite A: 10.10.0.0/16, gateway=10.10.0.254
Site B: 10.20.0.0/16, gateway=10.20.0.254

Now for one device (10.10.0.100) on site A I would like to route the traffic over de IPsec tunnel and go to the Internet via site B.

QuoteSite A: System/Gateways/Configuration: name=OPNsenseB, int=WAN,gateway=10.20.0.254

This is totally wrong, 10.20.0.254 is not available from Internet, its a private subnet IP, with this you are saying that a private IP is accessible on the Internet which is not. This IP specifically site B is reachable over IPsec, so you need to set the GW over the IPsec.

QuoteSite A: Firewall/rules/LAN: source=10.10.0.100, prt+dest+dest port=*, gateway=10.20.0.254 (as the first line)

So you opted for PBR but,
You applied this GW only to the rule? Do you have a route back on Site B to route thru IPsec tunnel to Site A? Can you ping Site B from Site A over IPSEC?
Also by using this you are forcing any traffic over the GW, meaning as well destination for Private Subnets. If you want to only route Internet over IPsec, create and alias containing RFC 1918 and use it as Inverse destination for the Rule.

QuoteSite B: Firewall/NAT/Outbound: interface=WAN, source=10.10.0.100/32, source+dest+dest port=*

Only in case your Site A can reach site B than it can go out via default route to Internet on Site B and NAT can be applied.

Regards,
S.

Eduardox · January 12, 2025, 09:55:31 PM

Quote from: dseven on January 12, 2025, 10:10:02 AMThe interface for your OPNsenseB gateway should be your VPN, not WAN.

For the interface, I can only choose WAN or LAN, there is no VPN interface. And if I choose LAN, then it says "Misconfigured Gateway IP". If I choose WAN then there is no error.

Quote from: dseven on January 12, 2025, 10:10:02 AMAlso you do not want to do outbound NAT at site A for this - you'd have to do it at site B to use the correct internet-routable address (belonging to site B). You'll need to configure outbound NAT at site B to cover 10.10.0.0/16 (or at least 10.10.0.100/32) too.

Isn't that what I did with:
Site B: Firewall/NAT/Outbound: interface=WAN, source=10.10.0.100/32, source+dest+dest port=*
?

dseven · January 12, 2025, 10:02:36 PM

Quote from: Eduardox on January 12, 2025, 09:55:31 PMFor the interface, I can only choose WAN or LAN, there is no VPN interface. And if I choose LAN, then it says "Misconfigured Gateway IP". If I choose WAN then there is no error.

I've never actually done IPsec on OPNsense. Perhaps you have to assign an interface for it? Check under Interfaces -> Assignments to see if there's a device you can assign?

Quote from: Eduardox on January 12, 2025, 09:55:31 PM
Quote from: dseven on January 12, 2025, 10:10:02 AMAlso you do not want to do outbound NAT at site A for this - you'd have to do it at site B to use the correct internet-routable address (belonging to site B). You'll need to configure outbound NAT at site B to cover 10.10.0.0/16 (or at least 10.10.0.100/32) too.

Isn't that what I did with:
Site B: Firewall/NAT/Outbound: interface=WAN, source=10.10.0.100/32, source+dest+dest port=*
?

Oh, right - I missed the 'Site B' there.

Eduardox · January 12, 2025, 10:07:09 PM

Quote from: Seimus on January 12, 2025, 11:39:59 AMThis is totally wrong
so you need to set the GW over the IPsec.

I am sorry that it is totally wrong. I am new here, and just looking for help.
Like I wrote in the previous post, I can only choose LAN or WAN as the interface in the gateway. Which one should it be then? There is a Misconfigured Gateway IP error when I choose LAN.

Quote from: Seimus on January 12, 2025, 11:39:59 AMSo you opted for PBR but,
You applied this GW only to the rule? Do you have a route back on Site B to route thru IPsec tunnel to Site A? Can you ping Site B from Site A over IPSEC?

I didn't really opt to use policy based routing, I am just a beginner trying to find whatever method I can get to work :-)
Yes, there is a route back from site B to site A. Like I wrote in my original post, all devices from both sites can reach all devices.

Quote from: Seimus on January 12, 2025, 11:39:59 AMAlso by using this you are forcing any traffic over the GW, meaning as well destination for Private Subnets. If you want to only route Internet over IPsec, create and alias containing RFC 1918 and use it as Inverse destination for the Rule.

Yes, that is a good point. I will looked into that once I got it working for all traffic.

Can you give a suggestion what to correct? Thanks.

Seimus · January 13, 2025, 09:59:54 AM

There are two approaches
* PBR based
* Route based

https://docs.opnsense.org/manual/vpnet.html#new-23-1-vpn-ipsec-connections
https://docs.opnsense.org/manual/vpnet.html#policy-based

If you want to keep it easy (for now) and you have reach ability between Sites, just go with the first one.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn.html
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html

In theory, all you need should be already in Route tables, so in Firewall->Rules->IPsec create a Rule that will match only interesting traffic (Your specific host).

Regards,
S.

Seimus · January 13, 2025, 10:49:47 AM

Also I should ask, what IPsec setup you are using, the NEW or the OLD?
Because the posted above is for the NEW IPsec Option.

Regards,
S.

Eduardox · January 14, 2025, 10:32:36 PM

I tried to switch to the new "connections" instead of "tunnels", but unfortunately I couldn't get it to work. I am using "mutual RSA" with the "tunnels", but somehow I couldn't use that for "connections" (it does work with Mutual PSK though, but I prefer Mutual RSA).

Anyway, I had the Firewall->Rules->IPsec set as * as a test - but still failed. Need to search a bit more :-(

Thanks.

Seimus · January 15, 2025, 04:00:32 PM

So in case you are using the Legacy way you need to follow https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html

You have two options here,
Either stay on Legacy and configure the routing per legacy docs or
Migrate to New and take advantages of the docs for New setup.

Regards,
S.

Trying to route traffic for one device to other site

Eduardox

January 10, 2025, 09:42:12 PM Last Edit: January 10, 2025, 09:56:48 PM by Eduardox

dseven

January 12, 2025, 10:10:02 AM #1

Seimus

January 12, 2025, 11:39:59 AM #2 Last Edit: January 12, 2025, 11:43:10 AM by Seimus

Eduardox

January 12, 2025, 09:55:31 PM #3

dseven

January 12, 2025, 10:02:36 PM #4

Eduardox

January 12, 2025, 10:07:09 PM #5

Seimus

January 13, 2025, 09:59:54 AM #6 Last Edit: January 13, 2025, 10:36:43 AM by Seimus

Seimus

January 13, 2025, 10:49:47 AM #7

Eduardox

January 14, 2025, 10:32:36 PM #8

Seimus

January 15, 2025, 04:00:32 PM #9