OpenVPN outbound policy ignored?

stego · July 14, 2021, 6:24pm

Thought I had everything working… but noticed all my clients were getting routed to the OpenVPN WAN interface, despite my outbound policy rule having a mac address filtered source to a particular device.

I also had a vlan rule, and another mac address source rule defined, until I noticed other devices in active sessions getting tied to OpenVPN interface.

Even after disabling the rules, my iphone was still going through the OpenVPN wan.

Disconnecting the OpenVPN Wan client restores access to default WAN.

Known issue? Or something I’m missing? I am running f/w 8.1.2 on B20x.

Edit: outbound rules managed in InControl

TK_Liew · July 15, 2021, 12:06am

Please confirm whether your phone is using private MAC address. You may need to observe whether the MAC address of your phone will be changed. This can be observe at Status > Client List.

I even notice this was available in Windows machine.

stego · July 15, 2021, 5:25am

Hi @TK_Liew ,

Just found the source of the issue. I never checked the default HTTPS_Persistence outboud rule which is added at the bottom by default.

It was set to persistence algorithgm with load distribution of “any”.

So any client not matching my OpenVPN rule, was getting assigned to either WAN or OpenVPN Wan .

I have set HTTPS_persistence rule to enforced to WAN… seems like balance has been restored.

Edit: The https_persistence rule should be any protocol… basically send all traffic to WAN… I dont load balance anything.

I was still seeing active sessions trickling in through OpenVPN WAN

TK_Liew · July 15, 2021, 10:20pm

You may reboot the Balance 20X. If you still see the unexpected traffic goes into the OpenVPN WAN after the reboot, please open ticket for us to check.

Thanks.

stego · July 16, 2021, 7:22am

Thanks @TK_Liew

After properly configuring my outbound policy rules, active sessions was cleaned up and only showing properly connected devices on the OPenVPN wan interface.