Hello
I’m currently trying to route all internet traffic from p2s clients to opnsense firewall in azure using the azure vpn gateway. But can’t seem to get the routing right.
What I’ve done so far
Advertise the 0.0.0.0/0 to the clients and can see it on the clients.
Added a route to the route table and associated to the firewall subnet to say anything on 0.0.0.0/0 hop to virtual appliance private ip.
Enable ip forwarding and NAT on the firewall.
Is there something I’m missing. I can’t see a route table on the gateway but reading it says don’t assign 0.0.0.0/0 anyway.
Any help would be appreciated
Try adding UDRs for the P2S network directly instead of 0.0.0.0/0.
On the gateway subnet, don’t add a 0.0.0.0/0 route, add all the networks pointing to the NVA. Something like:
10.10.10.0/24 > NVA
10.10.20.0/24 > NVA
On the subnet the NVA resides in, you need to add a UDR pointing back to the P2S network. I can’t remember off the top of of my head, but I think the next hop is VirtualNetworkGateway. The NVA can only route to one VNG in the VNET it resides in. If it’s in a different VNET, it’s using BGP via another VNG (don’t quote me on this, I’m fuzzy on the details, but I’ve accomplished what you are attempt to do)
My set up was:
1 hub Vnet with NVA and VNG
2 spoke Vnets, one had a VNG and the other did not.
1 on prem-site connected to VNG in hub Vnet.
It was a mix of BGP and setting UDRs in all of the VNETs. I had to be very specific and add UDRs for the P2S VPN networks on ALL the VNETs, using 0.0.0.0/0 won’t work. Also setting up NSGs to accept the traffic was also necessary. I had all p2s traffic going through the NVA, except Internet traffic, I think you need to use NSG flow logs to get insight into that, or via DNS logs.
Okay, this looks more fun than what the docs say it should be 
So to clarify on the Gateway subnet I should just add the network route address for all IP I want to route. I’m unable to go if they want to go to google.com for example route this traffic up here under the catch-all of 0.0.0.0/0 I would have to put all the ranges they may use.
I’ve got the internal stuff all routing fine to where I want it to go just the generic internet traffic.
With pointing back how does that work on a route Ip is it just the destination of the P2S client Internal IP so something like NVA < 10.100.10.0/24 Back to Gateway correct roughly I can test it all out to confirm.
Ah okay, I was looking as well for a tool in Azue that shows me here where it is failing down fix it :d Hopefully NGS flow logs or DNS logs does the trick.
Thank you
Yep on the NVA subnet you need a route back to the P2S network.
The gateway subnet should have a route to 0.0.0.0/0 > Internet by default.
The gateway subnet should have routes to all your private networks going to NVA
