Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
17.1.1 IPsec blocks traffic no matter what
« previous
next »
Print
Pages: [
1
]
Author
Topic: 17.1.1 IPsec blocks traffic no matter what (Read 4080 times)
oddjarle
Newbie
Posts: 2
Karma: 0
17.1.1 IPsec blocks traffic no matter what
«
on:
February 16, 2017, 08:02:06 pm »
Hi
I've tried a bunch of tips found here on the forum to try and solve my issue.
Using 16.7 I had no problems, like many others here. VPN worked great.
Since then I've run the upgrade to 17.1 via CLI and then 17.1.1 and all package updates via the GUI.
No changes were made to rules or settings after upgrading.
I can see in my OPNsense logs that traffic via VPN is being blocked.
Action : Block
Time : Feb 16 19:45:11
If : IPsec
Source : 172.16.31.1:60049
Destination: 172.16.1.12:8000
Protocol : TCP:S
My VPN-clients gets IPs in 172.16.31.0 /24.
I am trying to reach my LAN at 172.16.1.0 /24, specifically 172.16.1.12 at port 8000 (web service).
Under the IPsec interface I had a rule that allowed 172.16.31.0 /24 to reach 172.16.1.0 /24 at any port and protocols. Since 17.1.1 it didn't work I simplified it to "any" to 172.16.1.0 /24 to see if that helped - nope.
I then added a Floating rule as well from "IPsec net" to "172.16.1.0 /24" any protocols - still no go (of course reconneced VPN in case that was needed for the rule to take effect).
I tried a few sysctl tunables:
root@fw:~ # sysctl net.pf.share_forward=0
net.pf.share_forward: 1 -> 0
root@fw:~ # sysctl net.inet.ipsec.filtertunnel=1
net.inet.ipsec.filtertunnel: 1 -> 1
None helped.
I've also disabled blocking "private" and "bogons" network on my WAN interface - did not help either.
I'm trying to see which pf rule that triggers the blocking, but I haven't found any option in the GUI log viewer to help me pin-point which rule blocks the traffic.
Is this un-solvable at the moment? Any tips is greatly appreciated.
What I plan to test is to remove all IPsec and Floating rules. Reboot the firewall, and add them again. However I can't do that right now so perhaps during the weekend. Do you think that could help ?
Thanks for reading and I hope someone can provide a fix.
Logged
Andreas
Sr. Member
Posts: 272
Karma: 9
Re: 17.1.1 IPsec blocks traffic no matter what
«
Reply #1 on:
February 17, 2017, 10:37:08 am »
Pls read
https://forum.opnsense.org/index.php?topic=4513
https://forum.opnsense.org/index.php?topic=4313
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
17.1.1 IPsec blocks traffic no matter what