Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenVPN-Client: Firewall rules - reply-to missing for ipv4 rules #3783

Closed
uhelmig opened this issue Oct 25, 2019 · 2 comments
Closed

OpenVPN-Client: Firewall rules - reply-to missing for ipv4 rules #3783

uhelmig opened this issue Oct 25, 2019 · 2 comments
Labels
help wanted Contributor missing / timeout support Community support

Comments

@uhelmig
Copy link

uhelmig commented Oct 25, 2019

Describe the bug

Incomming connections are not possible, because reply packages are send out to the wrong gateway.

Relevant log files

root@router:/tmp # grep ovpn rules.debug | grep TEST
pass in quick on ovpnc1 inet from {any} to {any} keep state label "32273dd1f8b82e57651fe5c3febf18a3" # : TEST
pass in quick on ovpnc1 reply-to ( ovpnc1 2a02:a00:e00f:ffff::1 ) inet6 from {any} to {any} keep state label "32273dd1f8b82e57651fe5c3febf18a3" # : TEST

Expected behavior

pass in quick on ovpnc1 reply-to ( ovpnc1 188.246.4.1 ) inet from {any} to {any} keep state label "32273dd1f8b82e57651fe5c3febf18a3" # : TEST
pass in quick on ovpnc1 reply-to ( ovpnc1 2a02:a00:e00f:ffff::1 ) inet6 from {any} to {any} keep state label "32273dd1f8b82e57651fe5c3febf18a3" # : TEST

Config

  1. Home router with multiple uplink interfaces.
  2. The ovpnc1 interface (openvpn client) is used to get static ip addresses for ipv4 and ipv6.
  3. The ovpnc1 interface is not the default gateway.

Firewall test rule:
TestRule

Gateway setup (ipv4):
Gateway_v4

Gateway setup (ipv6):
Gateway_v6

Environment
OPNsense 19.7.5_5-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2t 10 Sep 2019

Last Working Environment
OPNsense 19.1.10_1-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019
@AdSchellevis AdSchellevis added the support Community support label Oct 26, 2019
@Optic00
Copy link

Optic00 commented Mar 15, 2020
edited

I have the same issue just with a GRE Tunnel instead. DNAT is working and i can route Clients over that Tunnel. It is just the Firewall itself that is not able to respond to ping, provider ssh/web access etc. over such tunneled IPv4.

I will add a more detailed description as soon as i find more time.

Edit: it seems to be a FreeBSD/pf issue according to netgate forums.

@AdSchellevis
Copy link
Member

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.

@AdSchellevis AdSchellevis added the help wanted Contributor missing / timeout label May 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Contributor missing / timeout support Community support
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AdSchellevis @Optic00 @uhelmig