No access or communication for servers beyond the firewall

[krunnal]

Hi,

We are new to opnsense. We installed opnsense, have setup the wan and lan interface. I can get the GUI via lan and also managed to enable web GUI. but thats pretty much we have managed to do.

We are just not able to ping the servers connected behind PFsense. To give an overview..

A public IP is asspciated to the WAN (which i can access remotely). The LAN interface is connected to a switch.  There are multiple machines attached to the switch each with a public IP.   We want to access these machines via RDP or any possible uses but it seems pfsense is blocking all requests.

Our current firewall rules are as open,,attached img below.

[bartjsmit]

Any reason why you're not using DNAT for the internal hosts? If the reason is name resolution, look at split DNS.

Bart...

[krunnal]

Hi Bart

Thanks for the quick response. Actually thats how we started hoping it will be pretty straigt forward, but it wdidnt work..so we started working backwards trying to make it simpler. ...until we reached a stage where we are looking to atleast manage a ping keeping all rules open. Once we get this we plan to build on it. Right now we just can pinpoint the issue. I thoight it must be the switch the lan interface is connected to, but i can ping and connect my machines from internal network so am sure its not the switch.
For wan i can connect to my opnsense ui remotely. So that part is ok i guess.

Based on the attached image of rules set am i missing something? Thanks again.

[phoenix]

Do you actually have any DNS server(s) configured on your LNA or on the firewall?

You really do not want your firewall UI open to the internet, at the very least that's foolhardy and a security risk.

[fabian]

Maybe your hosts drop the traffic from wan.

[krunnal]

Yes for DNS. Its configured

actually the UI option is temporary as i can work on  opnsense remotely to setup a dummy enviorment to test the network design before we go live.

[bartjsmit]

If your firewall interface is accessible from the WAN, you may have the LAN and WAN interfaces mixed up. OPNsense's web interface should only be accessible on the LAN interface. As Bill said, having it accessible from the internet is a bad idea.

For safety, keep the WAN interface down and ensure that you can reach the web configuration from internal clients on a RFC 1918 range using the LAN interface. Then enable the WAN connection and confirm you can ping 8.8.8.8 from the firewall and internal clients before setting up port forwarding.

Bart...

[krunnal]

Hi An update based on previous inputs.

We checked the Dashboard the IP assigned to WAN and LAN seem correct. Just to cross chekc though we interchanged the  cables..but then were not able to access GUI through LAN. So i am assuming the current interfaces is fine.

Regarding the testing..we used the " Interfaces: Diagnostics: Ping>>" option to check the pings. We were able to ping from

WAN  to outside IP
LAN to outside IP
Local + Default to outside IP

But when we tried to ping to the webserver that is behind the Firewall the ping failed for all aboove options.

FOR testing private ip assigned to a server behind firewall. We were able to ping
Default  to Private IP
Lan to Private IP

Thanks

[krunnal]

Hi,

Can anybody guide us on this...some direction. We are not able to ping to the server behind the firewall..

[Zeitkind]

Not sure how you test them, because there are some caveats around that. From exactly where to where do you test the connection? Just to avoid typical pitfalls.