search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.27k stars 727 forks source link

OpenVPN-Client: Firewall rules - reply-to missing for ipv4 rules #3783

Closed uhelmig closed 4 years ago

uhelmig commented 4 years ago

Describe the bug

Incomming connections are not possible, because reply packages are send out to the wrong gateway.

Relevant log files

root@router:/tmp # grep ovpn rules.debug | grep TEST
pass in quick on ovpnc1 inet from {any} to {any} keep state label "32273dd1f8b82e57651fe5c3febf18a3" # : TEST
pass in quick on ovpnc1 reply-to ( ovpnc1 2a02:a00:e00f:ffff::1 ) inet6 from {any} to {any} keep state label "32273dd1f8b82e57651fe5c3febf18a3" # : TEST

Expected behavior

pass in quick on ovpnc1 reply-to ( ovpnc1 188.246.4.1 ) inet from {any} to {any} keep state label "32273dd1f8b82e57651fe5c3febf18a3" # : TEST
pass in quick on ovpnc1 reply-to ( ovpnc1 2a02:a00:e00f:ffff::1 ) inet6 from {any} to {any} keep state label "32273dd1f8b82e57651fe5c3febf18a3" # : TEST

Config

  1. Home router with multiple uplink interfaces.
  2. The ovpnc1 interface (openvpn client) is used to get static ip addresses for ipv4 and ipv6.
  3. The ovpnc1 interface is not the default gateway.

Firewall test rule: TestRule

Gateway setup (ipv4): Gateway_v4

Gateway setup (ipv6): Gateway_v6

Environment OPNsense 19.7.5_5-amd64 FreeBSD 11.2-RELEASE-p14-HBSD OpenSSL 1.0.2t 10 Sep 2019

Last Working Environment OPNsense 19.1.10_1-amd64 FreeBSD 11.2-RELEASE-p10-HBSD OpenSSL 1.0.2s 28 May 2019

Optic00 commented 4 years ago

I have the same issue just with a GRE Tunnel instead. DNAT is working and i can route Clients over that Tunnel. It is just the Firewall itself that is not able to respond to ping, provider ssh/web access etc. over such tunneled IPv4.

I will add a more detailed description as soon as i find more time.

Edit: it seems to be a FreeBSD/pf issue according to netgate forums.

AdSchellevis commented 4 years ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.