Thank you, almdandi.
No, I can't add static route on almost every Remote site host: too many places to maintain, and there are WiFi-connected personal mobile devices as well.
Yes, adding this before other 'forward' rules fixes my issue:
Switched to this solution and disabled use-ip-firewall.
But I now strongly dislike the fact that LAN–tunnel traffic is being routed asymmetrically. Is there any way to "bridge" traffic with dst-addr in 192.168.0.0/20 to a specific ethernet port? And bypass conntracking, firewall, etc. for such traffic entirely?
For example if you add a static router on the host that forward traffic for 192.168.0.0/24 directly to the vpn server (192.168.88.3) the problem will be gone.
No, I can't add static route on almost every Remote site host: too many places to maintain, and there are WiFi-connected personal mobile devices as well.
The easiest way to fix this, would be to exclude the traffic to 192.168.0.0/24 from in firewall rule.
Yes, adding this before other 'forward' rules fixes my issue:
Code:
6 ;;; allow any traffic to remote LANs behind VPN chain=forward action=accept dst-address-list=192.168.0.0/20 in-interface-list=LAN log=no log-prefix=""Switched to this solution and disabled use-ip-firewall.
But I now strongly dislike the fact that LAN–tunnel traffic is being routed asymmetrically. Is there any way to "bridge" traffic with dst-addr in 192.168.0.0/20 to a specific ethernet port? And bypass conntracking, firewall, etc. for such traffic entirely?
Statistics: Posted by andreyn — Mon Apr 01, 2024 12:53 pm