VPN (Hidemyass) forward not working after reboot

[ralph]

Hello everyone,

I did an extensive forum and Google search, but unfortunately I couldn't find anything similar to my issue.

I'm using OPNsense 17.1.8 as a VPN (Hidemyass) router. Everything works fine, as I can rout specific VLANs through the VPN while other go the direct route. I also have a floating rule that blocks traffic of specific subnets if the connection is down (NOW_WAN_EGRESS) opposed to using the direct WAN interface (default behaviour).

Anyhow, my problem is that, if I reboot he OPNsense VM, I need to manually either restart the OpenVPN connection or reload the firewall filters to have internet access again. I think it has something to do with the timing during boot, that the rule assining the VPN gateway is ignored till reloaded.

Has anyone of you experienced similar behaviour?
Any help is appreciated.

Cheers,
Ralph

NAT rules:

Code: [Select]

no nat proto carp all
nat on ovpnc1 inet from 127.0.0.0/8 to any port = isakmp -> 100.120.185.141 static-port
nat on ovpnc1 inet from 127.0.0.0/8 to any -> 100.120.185.141 port 1024:65535
nat on ovpnc1 inet from 192.168.0.0/16 to any port = isakmp -> 100.120.185.141 static-port
nat on ovpnc1 inet from 192.168.0.0/16 to any -> 100.120.185.141 port 1024:65535
nat on em1 inet from <tonatsubnets> to any port = isakmp -> 192.168.10.100 static-port
nat on em1 inet from <tonatsubnets> to any -> 192.168.10.100 port 1024:65535
no rdr proto carp all
no rdr on em0 proto tcp from any to (em0) port = https
no rdr on em0 proto tcp from any to (em0) port = http
no rdr on em0 proto tcp from any to (em0) port = ssh

Firewall rules:

Code: [Select]

no nat proto carp all
nat on ovpnc1 inet from 127.0.0.0/8 to any port = isakmp -> 100.120.185.141 static-port
nat on ovpnc1 inet from 127.0.0.0/8 to any -> 100.120.185.141 port 1024:65535
nat on ovpnc1 inet from 192.168.0.0/16 to any port = isakmp -> 100.120.185.141 static-port
nat on ovpnc1 inet from 192.168.0.0/16 to any -> 100.120.185.141 port 1024:65535
nat on em1 inet from <tonatsubnets> to any port = isakmp -> 192.168.10.100 static-port
nat on em1 inet from <tonatsubnets> to any -> 192.168.10.100 port 1024:65535
no rdr proto carp all
no rdr on em0 proto tcp from any to (em0) port = https
no rdr on em0 proto tcp from any to (em0) port = http
no rdr on em0 proto tcp from any to (em0) port = ssh
root@walt:~ # pfctl -sr
scrub on em0_vlan6 all fragment reassemble
scrub on ovpnc1 all fragment reassemble
scrub on em0 all fragment reassemble
scrub on em0_vlan3 all fragment reassemble
scrub on em0_vlan4 all fragment reassemble
scrub on em0_vlan2 all fragment reassemble
scrub on em0_vlan5 all fragment reassemble
scrub on em1 all fragment reassemble
block drop in on ! em0_vlan6 inet from 192.168.6.0/24 to any
block drop in inet from <__automatic_da9133ac_0> to any
block drop in on ! ovpnc1 inet from 100.120.184.0/21 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in on ! em0_vlan3 inet from 192.168.3.0/24 to any
block drop in on ! em0_vlan4 inet from 192.168.4.0/24 to any
block drop in on ! em0_vlan2 inet from 192.168.2.0/24 to any
block drop in on ! em0_vlan5 inet from 192.168.5.0/24 to any
block drop in on ! em1 inet from 192.168.10.0/24 to any
block drop in on em0_vlan6 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on em0 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on em0_vlan3 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on em0_vlan4 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on em0_vlan2 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on em0_vlan5 inet6 from fe80::8478:cdff:fe7a:120b to any
block drop in on ovpnc1 inet6 from fe80::14b0:6c70:affa:3ca to any
block drop in on em1 inet6 from fe80::dc04:2dff:fe0b:e033 to any
block drop in inet all label "Default deny rule"
block drop in inet6 all label "Default deny rule"
pass in quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
block drop in quick inet proto tcp from any port = 0 to any
block drop in quick inet proto tcp from any to any port = 0
block drop in quick inet proto udp from any port = 0 to any
block drop in quick inet proto udp from any to any port = 0
block drop in quick inet6 proto tcp from any port = 0 to any
block drop in quick inet6 proto tcp from any to any port = 0
block drop in quick inet6 proto udp from any port = 0 to any
block drop in quick inet6 proto udp from any to any port = 0
pass in quick proto carp all keep state
block drop in quick proto tcp from <sshlockout> to (self) port = ssh label "sshlockout"
block drop in quick proto tcp from <webConfiguratorlockout> to (self) port = https label "webConfiguratorlockout"
block drop in quick from <virusprot> to any label "virusprot overload table"
block drop in quick on em1 from <bogons> to any label "block bogon IPv4 networks from WAN"
block drop in quick on em1 from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
block drop in quick on em1 inet from 10.0.0.0/8 to any label "Block private networks from WAN"
block drop in quick on em1 inet from 127.0.0.0/8 to any label "Block private networks from WAN"
block drop in quick on em1 inet from 100.64.0.0/10 to any label "Block private networks from WAN"
block drop in quick on em1 inet from 172.16.0.0/12 to any label "Block private networks from WAN"
block drop in quick on em1 inet from 192.168.0.0/16 to any label "Block private networks from WAN"
block drop in quick on em1 inet6 from fc00::/7 to any label "Block private networks from WAN"
pass in quick on em0_vlan6 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0_vlan6 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0_vlan6 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on em0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass in quick on em0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass in quick on em0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass in quick on em0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass in quick on em0 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass out quick on em0 inet6 proto udp from (self) port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server on INFRASTRUCTURE"
pass in quick on em0_vlan3 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0_vlan3 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0_vlan3 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on em0_vlan4 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0_vlan4 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0_vlan4 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on em0_vlan2 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0_vlan2 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0_vlan2 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on em0_vlan5 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0_vlan5 proto udp from any port = bootpc to (self) port = bootps keep state label "allow access to DHCP server"
pass out quick on em0_vlan5 proto udp from (self) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in on em1 proto udp from any port = bootps to any port = bootpc keep state label "allow DHCP client on WAN"
pass out on em1 proto udp from any port = bootpc to any port = bootps keep state label "allow DHCP client on WAN"
pass in quick on lo0 all flags S/SA keep state label "pass loopback"
pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on em0 proto tcp from any to (self) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on em0 proto tcp from any to (self) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on em0 proto tcp from any to (self) port = ssh flags S/SA keep state label "anti-lockout rule"
pass out route-to (ovpnc1 255.255.248.0) inet from (ovpnc1) to ! (ovpnc1:network) flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em1 192.168.10.1) inet from (em1) to ! (em1:network) flags S/SA keep state allow-opts label "let out anything from firewall host itself"
block return out quick on em1 reply-to (em1 192.168.10.1) inet all label "USER_RULE: Reject outbound traffic marked NO_WAN_EGRESS" tagged NO_WAN_EGRESS
pass in quick on em0 inet from (em0:network) to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on em0 inet6 from (em0:network) to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in quick on em0_vlan2 inet proto tcp from (em0_vlan2:network) to (em0_vlan2) port = domain flags S/SA keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan2 inet proto udp from (em0_vlan2:network) to (em0_vlan2) port = domain keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan2 inet proto udp from (em0_vlan2:network) to 224.0.0.0/4 keep state allow-opts label "USER_RULE: Multicast messages not through VPN"
block return in quick on em0_vlan2 inet from 192.168.2.0/25 to ! (em0_vlan2:network) label "USER_RULE: Block internet traffic of first half of subnet"
pass in quick on em0_vlan2 route-to (ovpnc1 255.255.248.0) inet from (em0_vlan2:network) to any flags S/SA keep state label "USER_RULE: Any WAN traffic through VPN (NO_WAN_EGRESS)" tag NO_WAN_EGRESS
pass in quick on em0_vlan3 inet proto tcp from (em0_vlan3:network) to (em0_vlan3) port = domain flags S/SA keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan3 inet proto udp from (em0_vlan3:network) to (em0_vlan3) port = domain keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan3 inet from (em0_vlan3:network) to 192.168.4.32 flags S/SA keep state label "USER_RULE: Allow access to Plex media server"
pass in quick on em0_vlan3 inet proto udp from (em0_vlan3:network) to (em0_vlan5:network) port 1900:1905 keep state allow-opts label "USER_RULE: Sonos player status updates to controller"
pass in quick on em0_vlan3 inet proto tcp from (em0_vlan3:network) to (em0_vlan5:network) port = 3500 flags S/SA keep state allow-opts label "USER_RULE: Sonos controller commands to player (Android)"
pass in quick on em0_vlan3 inet proto tcp from (em0_vlan3:network) to (em0_vlan5:network) port = 3400 flags S/SA keep state allow-opts label "USER_RULE: Sonos controller commands to player (PC)"
block return in log quick on em0_vlan3 inet from (em0_vlan3:network) to 192.168.0.0/16 label "USER_RULE: Block local networks"
pass in quick on em0_vlan3 inet from (em0_vlan3:network) to any flags S/SA keep state allow-opts label "USER_RULE: Allow traffic to WAN without VPN"
pass in quick on em0_vlan4 inet proto tcp from (em0_vlan4:network) to (em0_vlan4) port = domain flags S/SA keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan4 inet proto udp from (em0_vlan4:network) to (em0_vlan4) port = domain keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan4 inet from (em0_vlan4:network) to (em0_vlan2:network) flags S/SA keep state label "USER_RULE: Allow traffic to smart home appliances (SHA)"
pass in quick on em0_vlan4 route-to (ovpnc1 255.255.248.0) inet from (em0_vlan4:network) to any flags S/SA keep state label "USER_RULE: All traffic through VPN (NO_WAN_EGRESS)" tag NO_WAN_EGRESS
pass in quick on em0_vlan5 inet proto tcp from (em0_vlan5:network) to (em0_vlan5) port = domain flags S/SA keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan5 inet proto udp from (em0_vlan5:network) to (em0_vlan5) port = domain keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan5 inet from (em0_vlan5:network) to 255.255.255.255 flags S/SA keep state allow-opts label "USER_RULE: Multicast not through VPN"
pass in quick on em0_vlan5 inet from (em0_vlan5:network) to 224.0.0.0/4 flags S/SA keep state allow-opts label "USER_RULE: Multicast messages not through VPN"
pass in quick on em0_vlan5 inet from (em0_vlan5:network) to 192.168.0.0/16 flags S/SA keep state label "USER_RULE: Allow inter-VLAN traffic"
pass in quick on em0_vlan5 route-to (ovpnc1 255.255.248.0) inet from (em0_vlan5:network) to any flags S/SA keep state label "USER_RULE: Any WAN traffic through VPN (NO_WAN_EGRESS)" tag NO_WAN_EGRESS
pass in quick on em0_vlan6 inet proto tcp from (em0_vlan6:network) to (em0_vlan6) port = domain flags S/SA keep state label "USER_RULE: Allow DNS"
pass in quick on em0_vlan6 inet proto udp from (em0_vlan6:network) to (em0_vlan6) port = domain keep state label "USER_RULE: Allow DNS"
block return in log quick on em0_vlan6 inet from (em0_vlan6:network) to 192.168.0.0/16 label "USER_RULE: Block Local Networks"
pass in quick on em0_vlan6 route-to (ovpnc1 255.255.248.0) inet from (em0_vlan6:network) to any flags S/SA keep state label "USER_RULE: Any WAN traffic through VPN (NO_WAN_EGRESS)" tag NO_WAN_EGRESS