I can't access the PC in another building.

[Shild73]

There is an organization network, everything works properly. The organization built another building. The networks are united using a secure channel (KSPD). The problem arose in that from the address 10.62.65.13 you can easily connect to 10.62.70.59, but on the contrary, opnsense blocks the connection. For the third day I cannot understand what this is connected with. Please help me solve the problem.

network diagram

lan

KSPD

log

[viragomann]

Your rule on the KSPD allows only access from source IP out of the KSPD net, which is 10.62.65.0/24. However, the arriving packet from the remote site is not translated, it is from 10.62.70.59.

So you probably want to allow access from 10.62.70.0/24.

[Shild73]

Yes, I need to be able to connect from 10.62.70.10/24 to 10.62.65.0/24, and even better, I need the 172.17.32.0/21 network to also be able to interact with these networks.

[viragomann]

So configure the rules accordingly.

And if it's the WAN interface also go to the interface settings and uncheck "block private addresses".

[Shild73]

Please tell me what rule and on what interface should there be so that 10.62.70.0/24 can interact with all other networks?

[viragomann]

As I wrote above already, on the KSPD interface add a rule
source: 10.62.70.0/24
destination: LAN net

> and even better, I need the 172.17.32.0/21 network to also be able to interact with these networks.

This requires, that the KSPD routes the traffic to OPNsense. I assume, you're actually natting the traffic?

[Shild73]

Yes, I use natting the traffic so that the lan united one network.

I did as you said, but opnsense still blocks the connection.

KSPD
log

[viragomann]

This is a different interface and different sources though.

And the blocked packets are SYNACK, which indicates an asymmetric routing.
Does the destination device use a different default gateway than OPNsense by any chance?

[Shild73]

Organization A KSPD
gateway 10.62.65.254

Organization B KSPD
gateway 10.62.65.254

lan gateway 172.17.32.1


Both organizations use a coordinator to communicate with each other via the KSPD channel.

[viragomann]

What we are seeing as blocked in the recent log is a obviously respond packet from 10.62.65.13. This means, that the request packet obviously didn't pass OPNsense.
So possibly it went directly from the KSPD to 10.62.65.13. But this machine used OPNsene as default gateway and hence sens packets destined to the other building to it.

Your network diagram shows that the KSPD has als an IP in 10.62.65.0/24. Naturally it sends packets destined to 10.62.65.13 directly to the device, but not to OPNsense.

[Shild73]

I'll try to fix the network now

[Shild73]

Now incoming traffic from IP 10.62.70.59/24 has completely disappeared, there is only outgoing traffic.

this is the only thing that is recorded in the

log

[Shild73]

I started DHCP on KSPD and got this log

log

[viragomann]

Now incoming traffic from IP 10.62.70.59/24 has completely disappeared, there is only outgoing traffic.

Did you even enable logging in the rule?

[Shild73]

What we are seeing as blocked in the recent log is a obviously respond packet from 10.62.65.13. This means, that the request packet obviously didn't pass OPNsense.
So possibly it went directly from the KSPD to 10.62.65.13. But this machine used OPNsene as default gateway and hence sens packets destined to the other building to it.

Your network diagram shows that the KSPD has als an IP in 10.62.65.0/24. Naturally it sends packets destined to 10.62.65.13 directly to the device, but not to OPNsense.

Disabled the second interface on the server, which was directly connected to 10.62.65.0/24. Only Lan 172.17.39.13/21 remained + additionally registered 10.62.65.13 on the card.


Another log