Traffic between interfaces

[jennifer.cruize98]

My network is as follows:

OpenVPN network OPT1 (10.8.0.1) <--> (10.8.0.2) OpnSense <--> (192.168.2.254) LAN Network

I'm trying to ping/access the 192.168.2.0/24 network from the linux machine on 10.8.0.1. I can ping 10.8.0.2 and 192.168.1.1 (WAN GW) but I can't seem to figure out how to reach the other.

I tried doing a outbound NAT to force anything on 10.8 not going to 10.8 to go to 192.168 by firewall and by GW but no luck.

[bartjsmit]

No need for NAT internally. Do you have a (floating) rule to allow ICMP?

Check for denies in your firewall log - Firewall: Log Files: Live View, filter on source == 10.8.0.1

Bart...

[jennifer.cruize98]

I created a floating rule to allow ping from any protocol to and from any interface and removed all that NAT rules ect...

Started a ping and I see the successful to 10.8.0.2 logged but I don't see the deny to 192.168.2.254 which confuses me.

[bartjsmit]

Do both endpoints have OPNsense as their DG? If not, you'll need to add a static route on 192.168.2.254 for the return traffic

[jennifer.cruize98]

By endpoints we mean the Linux Server and OpnSense firewall?


In regards of adding a route, is the following correct way if needed?

I had to manually create the LAN GW since it wasn't auto created.

Thanks bart!

[bartjsmit]

By endpoints we mean the Linux Server and OpnSense firewall?

Endpoints would be a host on 192.168.2.0/24 and 10.8.0.2

Try some packet traces to see if you can see the packet going out and the reply going back.

Interfaces: Diagnostics: Packet Capture

What is the routing table on 10.8.0.2 like? Does it have an entry for 192.168.2.0/24 via 10.8.0.1 in there?

ip ro sh on most Linux OS.

Bart...

[jennifer.cruize98]

192.168.2.0/24 can ping 10.8.0.1 and 10.8.0.2

Looking at the packet capture, I don't see the 192.168.2.0/24 network being mentioned so my guess is the traffic is never leaving the Linux machine running on 10.8.0.1 which is the OpenVPN network.

On the Linux machine I have:

Code: [Select]

ip ro sh
default dev venet0 scope link
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
public_IP/24 dev venet0 proto kernel scope link src public_IP
So this means I need to have a static route added on OpnSense, correct?

[bartjsmit]

You need a static route for 192.168.2.0/24 via 10.8.0.1 on the Linux machine for the packets to enter the tunnel. Otherwise they will go out via its default gateway.

You can confirm with tcpdump -w on the Linux machine. Analyse the file in Wireshark - https://www.wireshark.org/

[jennifer.cruize98]

Got it. So something like this?

Code: [Select]

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 venet0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
45.88.168.0     0.0.0.0         255.255.255.0   U     0      0        0 venet0
192.168.2.0     10.8.0.1        255.255.255.0   UG    0      0        0 tun0
I ran a ping in one window and then ran the following

Code: [Select]

tcpdump icmp and src 10.8.0.1 and dst 192.168.2.254
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
Not sure if I'm going about this the right way.

[Patrick M. Hausen]

Try to add "-n" and "-i <interface>" to the tcpdump command.