0

I have a OPNsense device with an IPsec VPN to a remote site, which works fine. All traffic from the LAN should go through the VPN, so I configured the Phase 2 like this:

  • Local Subnet: LAN network
  • Remote Subnet: 0.0.0.0/0

All traffic from my LAN now goes into the tunnel. However, this means that even IP packets to the firewall itself are routed through the VPN. I can see them on the remote gateway, where they are dropped (obviously). As a consequence, I cannot reach the OPNsense web UI from my LAN interface anymore. Other interfaces keep working as expected.

How can I prevent OPNsense from sending traffic that is destined directly to its own interfaces into the VPN tunnel?

My first idea was to add a static route, but I am unsure if that would be possible, as there is no next hop.

Please note that this is not a question about regaining access to the management UI, I know how to do that. What I want to do is allow access from the LAN, while other LAN traffic is sent into the tunnel.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Hexaholic
  • 103
  • 7

1 Answers1

0

You are on the right track with the static route idea. Routes are prioritized based on how specific they are.

0.0.0.0/0 is the most generic and should always be evaluated last.

I would suggest setting a route that matches the remote network instead for just 0.0.0.0/0. Something like 10.2.0.0/16 or whatever matches your networks. You can also create one for the local network like 10.1.0.0/16 (or whatever) to make sure it can connect to local devices.

Andrew
  • 2,057
  • 2
  • 16
  • 25
  • What would be the next hop for the local network? It is directly connected to the device, so there is no other router on the LAN. – Hexaholic Feb 27 '18 at 07:58