Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shared Forwarding collection #38

Closed
mimugmail opened this issue May 6, 2019 · 6 comments
Closed

Shared Forwarding collection #38

mimugmail opened this issue May 6, 2019 · 6 comments
Assignees
@fichtner
Labels
bug Production bug

Comments

@mimugmail
Copy link
Member

To better track down shared forwarding (SF) issues popping up the last days/weeks, I'll create this issue to get a better overview since most of them are here but also one in the forums:

I'll now try to reproduce where possible ... anyone who wants to jump in, very welcome :)
New problem descriptions please in separate issues as this one only collects them.
@mimugmail
Copy link
Member Author

https://github.com/opnsense/core/issues/3424 : Created a HE tunnel at tunnelbroker, followed https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html and added a policy route for 2a02:2e0:3fe:1001:7777:772e:2:85 via HE gateway. Surfing on www.heise.de (this IP) doesn't go via gif0. After disabling SF and clicking refresh it's travelling via the tunnel.

@fichtner fichtner self-assigned this May 6, 2019
@fichtner fichtner transferred this issue from opnsense/core May 6, 2019
@fichtner fichtner added the bug Production bug label May 6, 2019
@fichtner
Copy link
Member

fichtner commented May 6, 2019

Does this work on 18.7 ?

@mimugmail
Copy link
Member Author

https://forum.opnsense.org/index.php?topic=13397.0

@fichtner fichtner mentioned this issue Jul 13, 2019
Closed
@mimugmail
Copy link
Member Author

Today I had a longer phone call with customer:

WAN1, static IP, default gateway
WAN2, static IP, not default

WAN1 IP, port-forward to internal OpenVPN Server
WAN2 IP, port-forward to internal HTTPS ressource

Both WANs have upstream gateway in Interfaces set.

When I have "assiciated rule" in RDR on both rules, OpenVPN is working but HTTPS replies are sent via WAN1 with source IP of WAN2. When I change in RDR for HTTPS the rule association to just "pass" .. it also works for HTTPS. But only as long as the gateway doesn't change.

I haven't tried disabling shared forwarding as it found this little know limitations I tried to collect. Just for refernce I'm working on this again :)

CC @AdSchellevis maybe you also heard similar things from clients? regarding protforwarding on multiple WANs and replies sent over wrong links?

@AdSchellevis
Copy link
Member

@mimugmail not that I know of, but combinations with policy based routing can lead to complex scenarios (and issues).

@mimugmail
Copy link
Member Author

note to self: Always check if customer set outbound nat with source as any. This will also nat replys from port forwards and won't be seen in tcpdump when dumping for port 1194 e.g.

Sorry for the noise.

I'll also close this issue as I don't have time to dig deeper into shared forwarding.

Anyone can reopen when it pops up again :)

fichtner added a commit that referenced this issue Dec 13, 2019
@fichtner
netinet6: test fix for forward ifp change request
1bf392c 
PR: #38
PR: #39
lattera pushed a commit to BlackhawkNest/opnsense-src that referenced this issue Oct 30, 2020
@fichtner
netinet6: test fix for forward ifp change request
3b8b8f7 
PR: opnsense#38
PR: opnsense#39
(cherry picked from commit 1bf392c)
Signed-off-by: Shawn Webb <swebb@blackhawknest.com>
@wiesel24 wiesel24 mentioned this issue Nov 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fichtner fichtner

Labels
bug Production bug
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fichtner @AdSchellevis @mimugmail